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Abstract 

Predicate  encryption  is  a  new  encryption  paradigm  where  the  secret  key  owner  can 
perform  fine-grained  access  control  over  the  encrypted  data.  In  particular,  the  secret 
key  owner  can  generate  a  capability  corresponding  to  a  query  predicate  (e.g.,  whether 
an  encrypted  email  contains  the  keyword  MEDICAL),  and  the  capability  allows  one  to 
evaluate  the  outcome  of  this  predicate  on  the  encrypted  data. 

The  high-level  goal  of  this  thesis  is  to  build  predicate  encryption  systems  that  are 
efficient,  support  expressive  queries  and  rich  operations.  Our  contributions  are  sum¬ 
marized  below: 

1.  We  propose  a  predicate  encryption  scheme  supporting  multi-dimensional  range 
queries.  Prior  to  this  work,  researchers  have  constructed  schemes  support  equal¬ 
ity  tests.  Hence,  our  scheme  supports  more  expressive  queries  than  before.  At 
the  core  of  this  construction  is  a  technique  to  support  conjunctive  queries  without 
leaking  the  outcome  of  each  individual  clause. 

2.  We  study  how  to  delegate  capabilities  in  predicate  encryption  schemes.  To 
demonstrate  why  delegation  may  be  interesting,  imagine  that  Alice  has  a  ca¬ 
pability,  and  she  wishes  to  delegate  to  Bob  a  more  restrictive  capability  allowing 
him  to  decrypt  a  subset  of  the  information  Alice  can  learn  about  the  plaintext 
encrypted.  We  propose  a  security  definition  for  delegation,  and  build  a  scheme 
supporting  delegation  and  conjunctive  queries. 

3.  Most  prior  work  focuses  on  hiding  the  plaintext  (encoded  in  the  ciphertext),  but 
does  not  provide  guarantees  about  the  secrecy  of  the  queries  (encoded  in  the  ca¬ 
pabilities).  In  other  words,  given  a  capability,  one  might  be  able  to  infer  from  it 
what  the  query  predicate  is.  We  study  how  to  hide  the  query  predicates ,  and  pro¬ 
pose  a  scheme  supporting  inner-product  queries  that  hides  the  query  predicates 
in  addition  to  the  plaintext. 
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Chapter  1 


Introduction 


1.1  What  is  Predicate  Encryption? 

Alice  loves  Gmail.  However,  she  is  concerned  about  her  privacy,  and  she  does  not  wish  Google 
to  read  her  emails.  A  common  approach  to  address  such  privacy  concerns  is  to  use  encryption. 
Imagine  that  Alice  now  uses  traditional  public-key  encryption  to  protect  the  secrecy  of  her  emails. 
Alice  generates  a  public-key/private -key  pair.  She  publishes  the  public-key  PK,  so  her  friends 
can  encrypt  the  emails  using  PK  before  sending  them  to  Alice.  Now  all  emails  will  be  stored  in 
encrypted  format  at  Google,  and  Alice  is  happy  about  being  able  to  protect  her  privacy. 

Now  Alice  wishes  to  search  for  all  emails  whose  ’’(sender  =  Bob)  and  (date  within  [2006, 
2007])”.  Unfortunately,  Google  can  no  longer  search  her  emails,  since  the  emails  are  stored  in  en¬ 
crypted  format,  and  without  the  secret  key,  the  emails  are  indistinguishable  from  random  numbers 
to  Google.  Alice  can  download  all  emails  from  Google,  decrypt  and  search  them  locally.  But  what 
if  there  are  too  many  emails  to  download?  Alternatively,  Alice  can  give  away  her  private-key  to 
Google,  but  of  course,  that  beats  the  purpose  of  encryption. 

This  problem  can  be  solved  using  a  new  type  of  encryption,  called  predicate  encryption.  Using 
predicate  encryption,  Alice  can  compute  a  capability  corresponding  to  her  query,  e.g.,  ’’(sender  = 
Bob)  and  (date  within  [2006,  2007])”.  She  gives  this  capability  to  Google,  and  Google  can  test 
the  capability  against  Alice’s  encrypted  emails.  In  this  way,  Google  is  able  to  leam  which  emails 
match  the  query;  and  beyond  this  information,  Google  leams  nothing  more  about  the  encrypted 
emails.  In  contrast  to  traditional  encryption,  predicate  encryption  offers  the  property  that  access  to 
the  plaintext  is  no  longer  all-or-nothing.  One  can  release  partial  information  about  the  encrypted 
data  in  a  controlled  manner. 


1.2  Related  Work 

In  traditional  public  key  encryption  a  user  creates  a  public  and  private  key  pair  where  the  private 
key  is  used  to  decrypt  all  messages  encrypted  under  that  public  key.  While  this  functionality 
is  sufficient  for  applications  where  a  one-to-one  association  exists  between  a  particular  user  and 
a  public  key,  several  applications  will  demand  a  finer-grained  and  more  expressive  decryption 
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capabilities.  Shamir  [33]  was  the  first  to  introduce  finer-grained  encryption  systems  by  defining 
the  concept  of  Identity-Based  Encryption  (IBE).  In  an  IBE  system  a  party  encrypts  a  message 
under  a  particular  public  key  and  associates  the  ciphertext  with  a  given  string  or  “identity”.  A  user 
can  obtain  a  private  key,  that  is  derived  from  a  master  secret  key,  for  a  particular  identity  and  can 
use  it  to  decrypt  any  ciphertext  that  was  encrypted  under  his  identity. 

Since  the  realization  of  the  first  Identity-Based  Encryption  schemes  by  Boneh  and  Franklin  [3] 
and  Cocks  [18],  there  have  been  a  number  of  new  cryptosystems  that  provided  increasing  func¬ 
tionality  and  expressiveness  of  decryption  capabilities.  In  Attribute-Based  Encryption  systems 
(ABE)  13  ESI3  Ell  1321  a  user  can  receive  a  private  capability  that  represents  a  complex  access 
control  policy  over  the  attributes  of  an  encrypted  record.  Other  encryption  systems,  including  key¬ 
word  search  (or  anonymous  IBE)  J3B,  %  121  13.  22,  28:,  24,  25,  2fil  systems,  allow  for  a  capability 


holder  to  evaluate  a  predicate  on  the  the  encrypted  data  itself  and  learn  nothing  more.  This  type  of 
functionality  represents  a  significant  breakthrough  in  the  sense  that  access  to  the  encrypted  data  is 
no  longer  all-or-nothing;  a  user  with  a  predicate  capability  will  be  able  to  leam  partial  information 
about  encrypted  data. 


1.3  Applications  of  predicate  encryption 

Apart  from  the  private  Gmail  scenario  described  above,  predicate  encryption  also  has  various  other 
applications. 


Network  audit  logs.  Recently,  the  network  intrusion  detection  community  has  made  large-scale 
efforts  to  collect  network  audit  logs  from  different  sites  HI  ETI.  jio I .  In  this  application,  a  network 
gateway  or  an  Internet  Service  Provider  (ISP)  can  submit  network  traces  to  an  audit  log  repository. 
However,  due  to  the  presence  of  privacy  sensitive  information  in  the  network  traces,  the  gateway 
will  allow  only  authorized  parties  to  search  their  audit  logs.  We  consider  the  following  four  types 
of  entities:  a  gateway,  an  untrusted  repository,  an  authority,  and  an  auditor.  Predicate  encryption 
allows  the  gateway  to  submit  encrypted  audit  logs  to  the  untrusted  repository.  Normally,  no  one 
is  able  to  decrypt  these  audit  logs.  However,  when  malicious  behavior  is  suspected,  an  auditor 
may  ask  the  authority  for  a  search  capability.  With  this  search  capability,  the  auditor  can  decrypt 
entries  satisfying  certain  attack  characteristics,  e.g.,  network  flows  whose  destination  address  and 
port  number  fall  within  a  certain  range.  However,  the  privacy  of  all  other  flows  should  still  be 
preserved.  Note  that  in  practice,  to  avoid  a  central  point  of  trust,  we  can  have  multiple  parties  to 
jointly  act  as  the  authority.  Only  when  a  sufficient  number  of  the  parities  collaborate,  can  they 
generate  a  valid  search  capability.  Securely  splitting  the  authority  into  multiple  parties  can  be 
achieved  through  secure  multi-party  computation  techniques  [24],  and  is  outside  the  scope  of  this 
thesis. 


Financial  audit  logs.  Financial  audit  logs  contain  sensitive  information  about  financial  transac¬ 
tions.  Predicate  encryption  allows  financial  institutions  to  release  audit  logs  in  encrypted  format. 
When  necessary,  an  authorized  auditor  can  obtain  a  decryption  key  from  a  trusted  authority.  With 
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this  decryption  key,  the  auditor  can  decrypt  certain  transactions  that  may  be  suspected  of  fraudulent 
activities.  However,  the  privacy  of  all  other  transactions  is  preserved. 

Public  health  monitoring.  Consider  a  health  monitoring  program.  When  Alice  moves  about 
in  her  daily  life,  a  PDA  or  smart-phone  she  carries  automatically  deposits  her  encrypted  location 
at  a  storage  server.  Assume  that  each  crumb  is  of  the  form  ((x,  y,  t),  ct ),  where  (x,  y )  represents 
the  location,  t  represents  time,  and  ct  is  Alice’s  contact  information.  During  an  outbreak  of  an 
epidemic,  Alice  wishes  to  be  alerted  if  she  was  present  at  a  site  borne  with  the  disease  during  an 
incubation  period,  i.e.,  if  (x,  y,  t )  falls  within  a  certain  range.  However,  she  is  also  concerned  with 
privacy,  and  she  does  not  wish  to  leak  her  trajectory  if  she  has  not  been  to  a  site  borne  with  the 
disease. 

Sharing  of  medical  records.  Medical  research  institutes  would  like  to  obtain  patients’  medical 
records  for  their  research.  However,  these  medical  records  are  usually  privacy  sensitive,  and  it  is 
necessary  to  enforce  access  control,  such  that  a  cardiologist  is  allowed  to  access  medical  records 
related  to  heart  diseases,  but  not  records  on  eye  diseases.  Using  predicate  encryption,  we  can 
easily  enforce  such  fine-grained  access  control  policies  by  granting  the  cardiologist  a  capability 
that  allows  her  to  decrypt  precisely  the  medical  records  she  needs.  Furthermore,  if  the  cardiologist 
would  like  her  assistant  to  check  all  cases  that  happen  within  the  year  2008,  she  can  perform  a 
delegation  operation,  and  generate  a  sub-capability  that  allows  the  decryption  of  all  records  on 
heart  diseases  and  within  the  year  2008. 

Stock  trading  through  an  untrusted  broker.  An  investor  uses  a  broker  to  trade  stocks.  The 
investor  does  not  fully  trust  the  broker,  and  wishes  to  reveal  as  little  information  to  the  broker  as 
possible.  For  example,  the  investor  can  place  an  order  that  says,  “buy  x  amount  of  stock  y  if  the 
price  falls  below  p  today”.  The  broker  should  not  be  able  to  decrypt  this  order  until  the  current  price 
satisfies  the  conditions  specified  by  the  order.  This  problem  can  be  addressed  through  predicate 
encryption.  A  party  trusted  by  the  investor  (e.g.,  the  stock  exchange)  issues  a  new  capability  to 
the  broker  as  the  stock  price  changes.  The  broker  can  now  try  to  use  the  capability  to  decrypt  the 
investor’s  order.  If  the  current  price  meets  the  conditions  specified  by  the  order,  the  decryption  is 
successful,  and  the  order  gets  executed.  If  the  order  is  never  executed,  the  broker  leams  nothing 
about  the  contents  of  the  order,  except  the  fact  that  the  conditions  specified  by  the  order  were  never 
met. 

Untrusted  remote  storage.  Individual  users  may  wish  to  store  emails  and  files  on  a  remote 
server,  but  because  the  storage  server  is  untrusted,  the  content  must  be  encrypted  before  it  is  stored 
at  the  remote  server.  Emails  and  files  can  be  classified  with  multiple  attributes.  Users  may  wish  to 
perform  certain  types  of  queries  and  retrieve  only  data  that  satisfy  the  queries. 

Using  biometrics  in  anonymous  IBE.  Predicate  encryption  can  also  be  used  in  biometric-based 
Anonymous  Identity-Based  Encryption  (AIBE).  Using  biometrics  in  identity-based  encryption  first 
appeared  in  the  work  by  Sahai  and  Waters  [32].  In  this  application,  a  person’s  biometric  features 


3 


such  as  finger-prints,  blood-type,  year  of  birth,  eye  color,  etc.,  are  encoded  as  a  point  X  in  a 
multi-dimensional  lattice.  Personal  data  is  encrypted  using  the  owner’s  biometric  features  as  the 
identity,  and  the  encryption  protects  both  the  secrecy  of  the  personal  data  and  the  owner’s  biometric 
identity.  Due  to  potential  noise  each  time  a  person’s  biometric  features  are  sampled,  a  user  holding 
the  private  key  for  biometric  identity  X  should  be  allowed  to  decrypt  data  encrypted  under  X', 
iff  X'  and  X  have  small  distance.  In  particular,  the  SahaiWaters04  construction  [|32]  considered 
the  set-overlap  distance  (or  the  Hamming  distance);  and  their  encryption  scheme  does  not  hide  the 
identity  of  the  user.  Our  construction  for  multi-dimensional  queries  allows  a  user  with  the  private 
key  for  identity  X,  to  decrypt  an  entry  encrypted  under  X',  iff  (^(X,  X')  <  e.  Here  denotes  the 


distance  between  X  and  X',  and  is  defined  as  max{ \x\ 


£ 


,...,\xD 


X 


D 


| }.  In  this  case,  the 


decryption  region  is  a  hyper-cube  in  multi-dimensional  space.  One  can  also  associate  a  different 
weight  to  each  dimension,  in  which  case  the  decryption  region  becomes  a  hyper-rectangle. 


1.4  Efficiency  and  expressiveness 

One  important  goal  in  designing  predicate  encryption  systems  is  the  ability  to  support  complex 
query  predicates.  Meanwhile,  we  would  like  our  construction  to  be  efficient.  To  be  specific  about 
what  we  mean  by  efficient,  we  consider  the  following  performance  metrics:  encryption  time,  ci¬ 
phertext  size,  capability  size  and  decryption  time.  Ideally,  we  would  like  all  of  these  performance 
metrics  to  be  polynomial  in  the  length  of  the  plaintext  (and  also  the  security  parameter). 

Previously,  researchers  have  designed  predicate  encryption  schemes  that  support  keyword- 
based  searches  CHESS.  A  keyword  search  is  an  equality  test:  given  a  specially  formed 
capability,  one  can  evaluate  whether  the  ciphertext  is  an  encryption  of  a  specific  plaintext.  For 
example,  if  we  use  such  a  predicate  encryption  system  for  the  above-mentioned  network  audit  log 
application,  the  auditor  would  be  able  to  make  queries  of  the  form:  “PORT=  1434”.  (This  is  the 
typical  port  number  used  by  the  SQL  Slammer  worm.) 


1.5  Summary  of  contributions 


The  high-level  goal  of  this  thesis  is  to  develop  predicate  encryption  schemes  that  (1)  are  efficient, 
(2)  support  expressive  queries  and  rich  operations,  and  (3)  have  better  security  (underjcertain  as¬ 
sumptions).  The  main  technical  content  of  this  thesis  is  formed  around  three  papers  [34,  35,  36], 
each  of  which  proposes  a  novel  construction,  and  represents  an  endeavor  at  the  above-mentioned 
high-level  goal.  Table  [T~TI  summarizes  the  contributions  of  each  of  these  papers.  The  work  on 
multi-dimensional  range  query  is  done  with  J.  Bethencourt,  H.  Chan,  D.  Song  and  A.  Perrig;  the 
work  on  delegation  of  capabilities  is  joint  with  Brent  Waters;  and  the  work  on  query-hiding  predi¬ 
cate  encryption  is  joint  with  Emily  Shen  and  Brent  Waters. 

To  help  readers  understand  the  development  of  this  field,  position  our  work,  and  understand  our 
contributions,  I  also  created  Table  11.21  which  lists  related  work  in  the  area  of  predicate  encryption. 
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Constructions 

Expressiveness  and  features 

Comments 

Contribution 

SBCSP07  [35] 

Multi-dimensional  range  query 

Secure  in  the 
match-revealing  model 

More  expressive  queries 

SW08  [36] 

Conjunctive  query.  Delegation 

Richer  operations  (delegation) 

SSW08  [34] 

fnner-product  query. 

Hides  query  in  addition  to  plaintext 

Secret-key  setting 

Stronger  security, 
more  expressive 

Table  1.1:  Summary  of  contributions.  See  chapter  E]  for  the  definition  of  match-revealing  security, 
secret-key  setting,  etc. 


Constructions 

Expressiveness  and  features 

Example  query 

Comments 

Equality  test  query 

Sender  =  Bob 

a.k.a.  Keyword  searches 

[12,  25] 

Conjunctive  queries  &  extensions 

(Sender  =  Bob) 

A  (Year  =  2008) 

[2^]  reveals  the  outcome 
of  individual  clauses 

SBCSP06 [35J 

Multi-dimensional  range  query 

(Urgent  e  [0,  3]) 

A  (Year  e  [2003,  2008]) 

Secure  in  the 
match-revealing  model 

SW08  [36J 

Conjunctive  query.  Delegation 

(Sender  =  Bob) 

A  (Year  =  2008) 

[28] 

Inner-product  query 

(x,  v)  =  0 

SSW08  [34J 

Inner-product  query. 

Hides  query  in  addition  to  plaintext 

(x,  v)  =  0 

Secret-key  setting 

Table  1.2:  Putting  it  in  context  with  related  work.  This  table  summarizes  our  work  in  this  space  and 
positions  our  work  in  context  with  related  work.  The  highlighted  constructions  are  the  contributions  of  this 
thesis.  The  table  is  created  roughly  (not  strictly)  in  chronological  order.  The  BW06  construction  [12]  and 
the  SBCSP06  [35]  construction  are  independent  and  concurrent  work.  It  is  difficult  to  construct  an  intuitive 
query  example  for  inner-product  queries.  However,  note  that  inner-product  is  strictly  more  expressive  than 
conjunctions.  See  Chapter[5]for  more  details  on  inner  product  queries. 


Outline  of  the  thesis.  Chapter  El  presents  a  formal  definition  of  predicate  encryption  and  its 
security.  Chapter  0  El  and  |5]  will  each  describe  the  one  of  the  results  shown  above  in  Table  o 
While  these  three  chapters  are  logically  connected,  each  chapter  is  self-contained  and  can  be  read 
independently  from  others. 

A  note  on  the  notations.  Chapter  |2]  gives  a  generic  and  unified  definition.  As  the  following 
Chapters 0  Eland |3 each  considers  a  more  specific  scenario,  we  will  use  a  more  concrete  instan¬ 
tiation  of  the  generic  definition  in  each  chapter.  The  resulting  variation  in  definition  and  notation 
across  chapters  is  intended  for  notational  convenience,  and  does  not  affect  the  essence  of  generic 
definition  given  in  Chapter  El  These  variants  of  definitions  and  notations  will  be  clearly  stated  in 
each  chapter  to  avoid  ambiguity. 
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Chapter  2 

Formal  Definitions 


Recall  that  in  predicate  encryption,  a  party  who  owns  the  master  secret  key  can  generate  a  capa¬ 
bility  (also  referred  to  as  a  token )  that  allows  one  to  decrypt  all  data  entries  satisfying  a  certain 
predicate  function  /.  However,  all  other  information  about  the  plaintext  still  remains  secret. 

In  this  chapter,  we  give  formal  definitions  for  predicate  encryption  and  its  security. 


2.1  Public-key  predicate  encryption 

We  now  give  a  formal  definition  for  public-key  predicate  encryption.  This  definition  is  due  to 
Boneh  and  Waters  E3. 

Let  X  =  (xi,  x2,  •  •  • ,  xi)  G  (0,  iy  denote  a  plaintext.  Without  loss  of  generality,  assume  that 
we  would  like  to  evaluate  from  the  ciphertext  boolean  functions  (also  referred  to  as  predicates )  on 
X,  that  is  /  :  (0,  l}e  — >  (0, 1}.  Functions  that  output  multiple  bits  can  be  regarded  as  concatena¬ 
tion  of  boolean  functions.  Let  T  denote  a  family  of  boolean  functions  from  (0, 1  }e  to  {0, 1}.  For 
example,  T  can  be  the  set  of  all  conjunctions  on  (x±,x2, . . . ,  xi)  G  {0, 1}£.  A  token  allows  one  to 
evalute  from  the  ciphertext  a  predicate  /  G  T 

A  Public-Key  Predicate  Encryption  (PK-PE)  scheme  consists  of  the  following  (possibly  ran¬ 
domized)  algorithms. 


Setup(lx,  X).  The  Setup  algorithm  takes  as  input  a  security  parameter  1A  the  predicate  family 
T  being  considered;  and  outputs  a  public  key  PK  and  a  master  secret  key  MSK. 


Encrypt (PK,  X).  The  Encrypt  algorithm  takes  as  input  a  public  key  PK,  a  plaintext  X  = 
(xi,  x2,  ■  ■  ■ ,  Xi)  G  (0,  l}1-,  and  outputs  a  ciphertext  CT. 


GenToken( PK,  MSK,  /).  The  GenToken  algorithm  takes  as  input  a  public  key  PK,  master  secret 
key  MSK,  and  a  query  predicate  /  G  T .  It  outputs  a  token  for  evaluating  the  predicate  /  from  a 
ciphertext. 
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Query ( P K .  CT,  TK/j.  The  Query  algorithm  takes  as  input  a  public  key  PK,  a  token  TKy  for  the 
predicate  /,  and  a  ciphertext  CT.  Suppose  CT  is  an  encryption  of  the  plaintext  X;  the  algorithm 
outputs  f(X). 

2.1.1  Security  definitions 

To  define  the  security  for  predicate  encryption,  we  describe  a  query  security  game  between  a 
challenger  and  an  adversary.  This  game  formally  captures  the  notion  that  the  tokens  reveal  no 
unintended  information  about  the  plaintext.  In  this  game,  the  adversary  asks  the  challenger  for  a 
number  of  tokens.  The  adversary  should  not  be  able  to  deduce  any  unintended  information  from 
these  tokens.  The  game  proceeds  as  follows: 

•  Setup.  The  challenger  runs  the  Setup  algorithm,  and  gives  the  adversary  the  public  key  PK. 

•  Query  1.  The  adversary  adaptively  makes  a  polynomial  number  of  queries.  In  each  query, 
the  adversary  specifies  a  predicate  f  E  T ,  and  asks  the  challenger  for  a  token  for  that 
predicate.  The  challenger  computes  the  requested  token  by  calling  the  GenToken  algorithm, 
and  returns  the  token  to  the  adversary. 

•  Challenge.  The  adversary  outputs  two  strings  Xq,  X{  E  {0, 1}^  subject  to  the  constraint 
that  for  any  predicate  /  queried  by  the  adversary  in  the  Query  1  stage,  the  following  must 
be  true: 

/TO  =  /TO  (2.i) 

Next,  the  challenger  flips  a  random  coin  b,  and  encrypts  Xf  It  returns  the  ciphertext  to  the 
adversary. 

•  Query  2.  Repeat  the  Query  1  stage.  All  predicates  queried  in  this  stage  should  satisfy  the 
same  condition  as  above. 

•  Guess.  The  adversary  outputs  a  guess  b'  of  b. 

The  advantage  of  an  adversary  A  in  the  above  game  is  defined  to  be  Ad v^  =  |  Pr  [b  =  b']  —  1  /2 1 . 

Definition  2.1.1  We  say  that  a  public-key  predicate  encryption  system  is  secure,  if  for  all  poly¬ 
nomial  time  adversaries  A  attacking  the  system,  its  advantage  Adv^  is  a  negligible  function  of 
A. 


2.1.2  Selective  security 


We  also  define  a  weaker  security  notion  called  selective  security.  In  the  selective  security  game, 
instead  of  submitting  two  strings  Xf  X*  in  the  Challenge  stage,  the  adversary  first  commits  to 
two  strings  at  the  beginning  of  the  security  game.  The  rest  of  the  security  game  proceeds  exactly 
as  before.  The  selective  security  model  has  appeared  in  various  constructions  in  the  literature  yl 


12fcU2lUJlll3»  35],  since  it  is  often  easier  to  prove  security  in  the  selective  model. 


Definition  2.1.2  We  say  that  a  delegateable  predicate  encryption  system  is  selectively  secure,  if 
all  polynomial  time  adversaries  A  have  negligible  advantage  in  the  selective  security  game. 
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2.1.3  Match  revealing  security 

In  a  recently  published  paper  0,  we  define  another  relaxed  version  of  security  called  match- 
revealing  security.  In  comparison,  we  call  the  strict  version  of  security  (as  defined  in  Sectionl2.1.1l) 
match-concealing  security. 

In  match-concealing  security,  the  adversary  does  not  learn  any  additional  information  about  the 
plaintext  whether  or  not  the  output  of  the  predicate  is  true.  The  readers  can  think  of  this  as  “two- 
sided”  security.  By  contrast,  match-revealing  security  can  be  thought  of  as  “one-sided”  security: 

•  When  the  predicate  evaluates  to  true,  the  adversary  does  not  learn  any  additional  information 
about  the  plaintext  encrypted; 

•  When  the  predicate  evaluates  to  false,  we  no  longer  care  about  preserving  the  secrecy  of  the 
plaintext. 

Clearly  match-concealing  security  implies  match-revealing  security.  However,  we  are  also 
interested  in  match-revealing  security,  because  in  some  cases,  using  the  relaxed  version  of  security 
can  lead  to  more  efficient  and  practical  constructions.  Meanwhile,  in  many  practical  applications, 
we  no  longer  care  about  the  secrecy  of  the  encrypted  entry  if  it  matches  the  query  predicate.  For 
example,  in  the  above-mentioned  network  audit  log  example,  a  matching  entry  corresponds  to  a 
suspicious  or  attack  flow.  In  this  case,  the  audit  is  interested  in  decrypting  the  entire  entry  and 
studying  it.  Hence,  we  are  not  obligated  to  preserve  the  privacy  of  these  matching  entries.  Of 
course,  one  can  also  conceive  of  other  applications  where  the  strict  notion  of  security,  that  is, 
match-concealing  security,  is  necessary. 

The  formal  definition  of  match-revealing  security  is  almost  the  same  as  match-concealing  se¬ 
curity,  with  the  exception  that  Equation  (I ED  is  now  the  following  new  equation: 

/TO  =  /TO  =  o 

2.2  Secret-key  predicate  encryption 

Secret-key  predicate  encryption  can  be  similarly  defined  as  public-key  predicate  encryption.  The 
difference  is  that  in  public -key  encryption,  anyone  can  encrypt  using  the  public-key.  By  contrast,  in 
secret-key  encryption,  encryption  and  decryption  are  both  performed  using  the  secret-key.  Hence, 
only  the  secret-key  owner  can  encrypt.  In  both  schemes,  only  the  secret-key  owner  can  decrypt. 

We  now  define  secret-key  predicate  encryption.  More  discussion  on  the  security  definitions 
can  be  found  in  Chapter  0 

A  Secret-Key  Predicate  Encryption  (SK-PE)  scheme  consists  of  the  following  (possibly  ran¬ 
domized)  algorithms. 

Definition  2.2.1  (Secret-key  predicate  encryption)  A  Secret-Key  Predicate  Encryption  (SKPE) 
system  consists  of  the  following  ( possibly  randomized )  algorithms. 

Setup (lx):  The  Setup  algorithm  takes  as  input  a  security  parameter  1A,  and  outputs  a  secret  key 
MSK. 

Encrypt{ MSK,  a;):  The  Encrypt  algorithm  takes  as  input  a  secret  key  MSK,  a  plaintext  x  6 
(0,  l}£;  and  outputs  a  ciphertext  CT. 
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GenToken(N\SK ,  /):  The  GenToken  algorithm  takes  as  input  a  secret  key  MSK,  and  a  query 
predicate  /  :  {0, 1 Y  — >  {0, 1}.  It  outputs  a  token  JKj  that  allows  one  to  evaluate  f(x)  over 
an  encryption  of  x.  As  mentioned  above,  we  assume  that  the  query  predicate  can  be  encoded 
with  a  bitstring  of  length  m. 

Query (TKf,  CT):  The  Query  algorithm  takes  as  input  a  token  TKy  for  the  predicate  /,  and  a 
ciphertext  CT  which  is  an  encryption  of  x  G  {0, 1}A  the  algorithm  outputs  f(x). 

2.2.1  Security  definitions:  Hiding  both  the  plaintext  and  the  query 

Public-key  predicate  encryption  schemes  guarantee  the  secrecy  of  the  ciphertext;  however,  they  do 
not  guarantee  the  secrecy  of  the  tokens.  In  fact,  for  public-key  predicate  encryption,  it  is  inherently 
impossible  to  achieve  ciphertext  secrecy  and  token  secrecy  simultaneously.  This  is  due  to  the  fact 
that  anyone  is  able  to  encrypt  using  the  public-key.  In  the  Gmail  example,  if  Google  would  like 
to  know  whether  a  token  corresponds  to  the  query  “Title  =  cryptography”,  Google  can  simply 
encrypt  an  email  whose  “Title  =  cryptography”  using  the  public-key,  and  test  the  token  against 
the  resulting  ciphertext. 

In  secret-key  predicate  encryption,  it  is  possible  to  guarantee  the  secrecy  of  both  the  plaintext 
(encoded  in  a  ciphertext)  and  that  of  the  query  (encoded  in  a  token).  This  provides  even  stronger 
privacy  guarantees  in  practice. 

We  now  formally  define  the  security  for  secret-key  predicate  encryption.  As  mentioned  above, 
our  definition  aims  to  guarantee  the  secrecy  of  the  plaintext,  as  well  as  the  query. 

To  explain  the  intuition  behind  our  security  definition,  consider  a  privacy-preserving  remote 
storage  application,  where  Alice  stores  her  encrypted  documents  on  a  remote  server,  and  later  is¬ 
sues  tokens  to  the  server  to  search  for  matching  documents.  Our  goal  is  to  leak  as  little  information 
to  the  storage  server  as  possible.  Under  our  model,  Alice  makes  a  query  by  submitting  a  token  to 
the  server,  and  the  server  learns  exactly  which  of  her  encrypted  documents  match  the  query,  and 
returns  the  matching  documents  to  Alice.  Therefore,  in  this  framework,  the  server  inevitably  learns 
Alice’s  access  pattern,  a.k.a,  which  documents  Alice  retrieves  with  each  query. 

We  would  like  to  define  security  in  the  strongest  sense  possible:  informally,  the  storage  server 
should  learn  only  Alice’s  access  pattern,  and  nothing  more.  In  particular,  this  implies  that  the 
server  learns  nothing  about  Alice’s  encrypted  documents,  or  what  queries  she  is  making. 

To  capture  the  notion  that  the  server  leams  only  Alice’s  access  pattern,  we  need  to  first  formally 
define  what  access  pattern  means.  Intuitively,  the  access  pattern  is  the  outcomes  of  q  predicates  on 
n  plaintexts. 

Definition  2.2.2  (Access  pattern)  Let  X  =  (aq,  ■  ■  ■ ,  xn)  denote  an  ordered  list  ofn plaintexts, 
where  Xi  G  {0,  l)1  for  1  <  i  <  n.  Let  F  =  (/i,  /2, . . . ,  fq)  denote  an  ordered  list  of  q  query 
predicates,  where  /,  6  (0, 1  }m  for  1  <  i  <  q.  The  access  pattern  on  X  and  F  is  an  q  x  n  matrix: 


fiM,  /1O2),  •• 

■  ,  A  On)  " 

AccessPattern(A",  F)  ■= 

/2(>l),  /202),  •• 

AOA 

.  fq(xi),  fq(x2),  .. 

1 
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We  now  proceed  to  define  the  security  for  SKPE.  Let 

X  =  (x1,x2,...,  xn),  X'  =  {x\ ,  x'2, x'n) 

denote  two  ordered  lists  of  plaintexts.  Let 

F  —  (A,  /2,  •  ■  • ,  fq), 

denote  two  ordered  lists  of  queries  predicates.  Now  imagine  the  following  two  worlds.  In  World 
0,  the  server  sees  n  encrypted  documents  and  q  tokens: 

(Enc(xi),  Enc(x2), . . . ,  Enc(xn)) ,  (JKfl,TKh, TKfq) 

In  World  1,  the  server  sees  n  encrypted  documents  and  q  tokens: 

(Enc(arl),  Enc(x'), . . . ,  Enc«)) ,  (TK/;,  TK,,, . . . ,  TK/;) 

Suppose  the  two  worlds  have  the  same  access  pattern,  i.e., 

ACCESSPATTERN(X,  F)  =  ACCESSPATTERNpf',  F') 

Informally,  the  server  should  not  be  able  to  distinguish  between  the  two  worlds.  The  security 
definition  presented  below  describes  a  game  between  a  challenger  and  an  adversary,  and  is  intended 
to  capture  this  notion  of  indistinguishability  between  two  these  worlds.  Moreover,  the  definition 
considers  an  adaptive  adversary:  an  adversary  who  can  choose  what  ciphertext/token  queries  to 
make  depending  on  the  previous  interactions  with  the  challenger. 

Definition  2.2.3  (SKPE  full  security)  We  say  that  an  SKPE  scheme  is  fully  secure,  if  no  polynomial- 
time  adversaries  has  more  than  negligible  advantage  in  the  following  game. 

Setup.  The  challenger  runs  the  Setup  algorithm,  and  retains  the  secret  key  MSK  to  itself.  In  ad¬ 
dition,  it  flips  a  random  coin  b,  and  keeps  the  bit  b  to  itself  as  well.  Define  four  ordered  lists, 
X0,  Fq,  Xi,  F\ ,  where  (X{),  Fq)  will  record  plaintexts  and  predicates  queried  by  the  adver¬ 
sary  in  World  0,  and  (X1;  Ff)  will  record  plaintexts  and  predicates  queried  by  the  adversary 
in  World  1.  Initially,  all  four  lists  are  empty. 

Query.  The  adversary  adaptively  makes  the  following  types  of  queries.  The  adversary  can  make 
up  to  a  polynomial  number  of  these  queries. 

•  Ciphertext  query.  The  adversary  specifies  two  plaintexts  xq,  x\  G  (0,  l}1  to  the  chal¬ 
lenger.  The  challenger  encrypts  xq  and  returns  the  ciphertext  to  the  adversary.  Append 
Xq  to  the  list  XQ,  and  x  i  to  the  list  X1. 

•  Token  query.  The  adversary  specifies  two  predicates  /0,  f\  G  (0,  l}m  to  the  chal¬ 
lenger.  The  challenger  computes  a  token  for  the  predicate  /b,  and  gives  the  resulting 
token  to  the  adversary.  Append  /0  to  the  list  F0,  and  /,  to  the  list  iq. 

All  queries  made  in  this  stage  should  be  indistinguishable  by  access  pattern.  In  other  words, 
at  the  end  of  the  game,  all  queries  made  should  satisfy  the  following  condition: 

ACCESSPATTERNpfo,  F0)  =  ACCESSPATTERN(Xi,  Fi) 

Guess.  The  adversary  outputs  a  guess  W  of  the  bit  b.  Its  advantage  is  defined  as  Adv^  = 
|Pr[b'  =  b]  —  ±|. 
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Chapter  3 

Multi-Dimensional  Range  Query  over 
Encrypted  Data 


3.1  Multi-dimensional  Range  Queries  over  Encrypted  Data 


In  this  section,  we  demonstrate  a  predicate  encryption  system  supporting  multi-dimensional  range 
queries.  This  contents  of  this  section  are  based  on  work  published  in  a  recent  paper  [35].  Therefore, 
throughout  this  section,  we  use  notations  consistent  with  the  paper  35] . 

The  reason  that  we  are  particularly  interested  in  multi-dimensional  range  queries  is  because 
they  are  the  most  prevalent  type  of  queries  in  current  database  systems.  In  fact,  SQL  queries  are 
by  nature  multi-dimensional  range  queries. 


3.1.1  Overview  of  our  construction 

We  assume  that  each  plaintext  entries  has  D  attributes,  and  the  query  predicates  are  conjunctions 
of  range  queries  over  a  subset  of  these  D  attributes.  For  example,  assume  that  each  entry  has  the 
structure  (IP,  port,  time),  and  below  is  a  typical  example  of  a  multi-dimensional  range  query: 

(IP  £  [128.2.  *  .*])  A  (time  £  (2006,  2007}) 

A  more  formal  and  complete  definition  will  be  given  in  SectionO.1.21 

We  give  a  provably  secure  predicate  encryption  system  for  multi-dimensional  range  queries. 
The  performance  of  our  construction  can  be  summarized  by  Table  13 .  ll 

Comparison  with  BonehWaters06.  In  the  above  table,  the  BonehWaters06  scheme  is  concur¬ 
rent  and  independent  work  to  ours.  In  their  paper,  they  give  a  general  definition  for  predicate  en¬ 
cryption,  and  propose  a  scheme  called  Hidden  Vector  Encryption  (HVE)  for  performing  conjunc¬ 
tive  equality  tests.  They  then  show  how  HVE  can  be  extended  to  support  conjunctive  subset/range 
queries. 

The  HVE  construction  given  by  Boneh  and  Waters  has  ciphertext  length  and  encryption  time 
linear  with  respect  to  the  length  of  the  plaintext.  The  token  size  has  length  linear  in  the  number 
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Scheme 

Pub.  Key  Size 

Encrypt.  Cost 

CT  Size 

Token  Size 

Decrypt.  Cost 

Security 

BonehWaters06  [12] 

0(D  ■  T) 

0(D  ■  T ) 

0(D  ■  T ) 

0(D) 

0(D) 

MC 

Naive  AIBE-based 

0(1) 

D((log  T)u) 

o((iogrn 

o((  iogrn 

0((log  T)u) 

MR 

Our  scheme 

Q(D  ■  log  T) 

0(D  ■  logTj 

0(D  •  log  T) 

0(D  ■  logT) 

0((\ogT)u) 

MR 

Table  3.1:  Performance  of  different  approaches.  D  denotes  the  number  of  dimensions  and  T  the  number  of 
points  in  each  dimension.  The  naive  AIBE-based  scheme  is  described  in  Section  13.2.31  MC  and  MR  refer 
to  the  match-concealing  and  match-revealing  security  models  respectively. 


of  clauses  in  the  conjunctive  query,  and  so  is  decryption  time.  The  HVE  construction  is  efficient 
in  the  sense  that  all  performance  measures  are  polynomial  (in  fact,  linear)  in  the  length  of  the 
plaintext  encrypted.  However,  to  extend  HVE  to  support  multi-dimensional  range  queries,  they 
need  to  incur  an  exponential  cost.  Notice  that  in  Table  13.11  both  public  key,  ciphertext  size  and 
encryption  time  are  0(D  ■  T ),  and  this  is  exponential  in  the  length  of  T  (i.e.,  number  of  bits  needed 
to  encode  T  distinct  values). 

Our  construction  0  is  very  similar  to  the  BonehWater06  work  in  many  ways.  We  also  use 
pairing  based  techniques  to  build  our  construction.  Although  the  two  schemes  appear  different 
at  the  algebra  level,  (for  example,  the  two  constructions  use  different  types  of  bilinear  groups)  at 
the  core  of  both  constructions  is  a  similar  idea  to  defend  against  the  collusion  attack  (See  Sec¬ 
tion  |3T3T2l).  In  particular,  although  not  explicitly  stated,  the  core  of  our  construction  is  also  an 
HVE-like  scheme  that  supports  a  conjunction  of  equality  tests,  and  it  can  be  proven  secure  in 
the  match-concealing  security  model.  However,  we  encountered  similar  difficulties  when  we  en¬ 
deavored  to  extend  it  to  support  multi-dimensional  range  queries,  essentially,  we  had  to  incur  a 
significant  cost  which  would  have  made  the  construction  too  expensive  in  practice,  and  typically, 
in  the  network  audit  log  and  similar  applications. 

To  cope  with  such  difficulties,  we  propose  the  relaxed  security  notion,  that  is,  match-revealing 
security.  Our  multi-dimensional  range  query  construction  uses  the  relaxed  security  notion  instead. 
Doing  this  allows  us  to  enable  a  better  trade-off  in  the  various  performance  measures.  As  shown 
by  Table  13.  ll  our  construction  has  O ( 1)  log  T)  public  key  size,  ciphertext  size  and  encryption  time. 
In  comparison,  the  BonehWaters06  construction  has  O(DT)  public  key  size,  ciphertext  size  and 
encryption  time.  On  the  other  hand,  our  construction  is  more  expensive  in  decryption  time.  We 
need  0((logT)D)  decryption  time  while  the  BonehWater06  construction  has  a  decryption  time 
of  0(D).  In  applications  like  network  audit  logs  as  described  above,  T  can  be  as  large  as  232 
to  encode  an  IP  address,  and  typically,  D  may  range  from  2  to  4.  In  such  scenarios  where  T  is 
large  and  D  is  small,  our  construction  is  more  practical.  However,  one  can  also  conceive  of  other 
applications  where  T  is  small  and  D  is  large,  and  in  these  cases,  the  BonehWaters06  construction 
would  be  more  practical. 

3.1.2  Definitions 

In  the  network  audit  log  application,  a  gateway  encrypts  network  flows,  and  submits  them  to  an 
untrusted  repository.  When  necessary,  an  auditor  may  ask  an  authority  for  a  key  that  allows  the 
decryption  of  all  flows  whose  attributes  fall  within  a  certain  range;  while  the  privacy  of  all  irrelevant 
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flows  are  still  preserved.  There  is  a  geometric  interpretation  to  these  multi-attribute  range  queries. 
Suppose  that  we  would  like  to  allow  queries  on  these  three  fields:  time-stamp  t,  source  address 
a,  and  destination  port  p.  The  tuple  (£,  a,p)  can  be  regarded  as  a  point  X  in  multi-dimensional 
space.  Now  suppose  we  query  for  all  flows  whose  t,  a,  p  falls  within  some  range:  t  G  [ti,£2], 
a  G  [01,02]  and  p  G  [pi , p2] -  Here  the  “hyper-range”  [fi,f2]  x  [ol5  a2]  x  [pi , p2]  forms  a  hyper¬ 
rectangle  B  in  space.  The  above  range  query  is  equivalent  to  testing  whether  a  point  X  falls  inside 
the  hyper-rectangle  B. 

We  now  formally  define  these  notions  mentioned  above.  Assume  that  an  attribute  can  be  en¬ 
coded  using  discrete  integer  values  1  through  T.  For  example,  an  IP  address  can  be  encoded 
using  integers  1  through  232.  We  use  the  notation  [ T ]  to  denote  integers  from  1  to  T,  i.e.,  [T]  = 
{1,  2, . . . ,  T}.  Let  S  <  T  be  integers,  we  use  [S,  T]  to  denote  integers  from  S  to  T  inclusive, 

i.e.,  [S,  T }  =  {S',  S  +  1, . . . ,  T}.  We  assume  that  T  is  a  power  of  2,  and  denote  log2  as  simply 
log.  Suppose  that  we  would  like  to  support  range  queries  on  D  different  attributes,  each  of  them 
can  take  on  values  in  [Ti],  [T2], . . . ,  [ TD\  respectively.  We  formally  define  a  .D-dimensional  lattice, 
points  and  hyper-rectangles  below. 

Definition  3.1.1  (D-dimensional  lattice,  point,  hyper-rectangle)  Let  A  =  (Ti,  T2, . . . ,  TD).  LA  = 
[T]  x  [T2]  x  ...  x  [ Td ]  defines  a  D-dimensional  lattice.  A  D-tuple  X  =  (aq,x2,  •  •  •  ,%d)  de¬ 
fines  a  point  in  LA,  where  xd  G  [ Td\  ('id  G  [  D\).  A  hyper-rectangle  B  in  LA  is  defined  as 
B(si,ti,s2,t2,  •  •  •  ,sD,tD)  =  {(x1:x2,...,xD)\Vd  G  [D\,xd  G  [sd,td]}  (Wd  G  [D],  1  <  sd  < 
td,  <  Td). 

An  MRQED  scheme  consists  of  four  (possibly  randomized)  polynomial-time  algorithms:  Setup, 
Encrypt,  DeriveKey  and  QueryDecrypt.  In  the  network  audit  log  example,  an  authority 
runs  Setup  to  generate  public  parameters  and  a  master  private  key;  a  gateway  runs  the  Encrypt 
algorithm  to  encrypt  a  flow.  Encryption  is  performed  on  a  pair  (Msg,  X).  The  message  Msg 
is  an  arbitrary  string,  and  X  is  a  point  in  multi-dimensional  space,  representing  the  attributes. 
For  example,  suppose  that  we  would  like  to  support  queries  on  the  following  three  attributes  of 
a  flow:  time-stamp  t,  source  address  a,  and  destination  port  p.  The  tuple  (t,  a,p)  then  becomes 
the  point  X,  and  the  entire  flow  summary  forms  the  message  Msg.  Whenever  necessary,  the  au¬ 
thority  can  run  the  DeriveKey  algorithm,  and  compute  a  decryption  key  allowing  the  decryption 
of  flows  whose  attributes  fall  within  a  certain  range.  Given  this  decryption  key,  an  auditor  runs 
the  QueryDecrypt  algorithm  over  the  encrypted  data  to  decrypt  the  relevant  flows.  We  now 
formally  define  MRQED. 

Definition  3.1.2  (MRQED)  An  Multi-dimensional  Range  Query  over  Encrypted  Data  (MRQED) 
scheme  consists  of  the  following  polynomial-time  randomized  algorithms. 

1.  Setup(E,  La):  Takes  a  security  parameter  £  and  D-dimensional  lattice  LA  and  outputs 
public  key  PK  and  master  private  key  SK. 

2.  Encrypt(PK,  X,  Msg):  Takes  a  public  key  PK,  a  point  X,  and  a  message  Msg  from  the 
message  space  M  and  outputs  a  ciphertext  C. 

3.  DeriveKey(PK,  SK,  B):  Takes  a  public  key  PK,  a  master  private  key  SK,  and  a  hyper¬ 
rectangle  B  and  outputs  decryption  key  for  hyper-rectangle  B. 
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4.  QueryDecrypt(PK,  DK,  C):  Takes  apublickey  PK,  a  decryption  key  DK,  and  a  ciphertext 
C  and  outputs  either  a  plaintext  Msg  or  _L,  signaling  decryption  failure. 

For  each  message  Msg  e  M,  hyper-rectangle  B  C  La,  and  point  X  e  La,  the  above  algo¬ 
rithms  must  satisfy  the  following  consistency  constraints: 

QueryDecrypt(PK,  DK,  C)  =  <  Msg  (3.1) 

±  w.h.p.,  if  X  f.  B 

where  C  =  Encrypt(PK,  X,  Msg)  and  DK  =  DeriveKey(PK,  SK,  B). 


3.1.3  Security  Definitions 


Suppose  that  during  time  [ti,t2],  there  is  an  outbreak  of  a  worm  characteristic  by  the  port  number 
P\ .  Now  the  trusted  authority  issues  a  key  for  the  range  t  e  [ti,t2\  and  p  —  p\  to  a  research  group 
who  has  been  asked  to  study  the  worm  behavior.  With  this  key,  the  research  group  should  be  able 
to  decrypt  only  flows  whose  time-stamp  and  port  number  fall  within  the  given  range.  The  privacy 
of  all  other  flows  should  still  be  preserved.  Informally,  suppose  that  a  computationally  bounded 
adversary  has  obtained  decryption  keys  for  regions  B0,  Bi, . . . .  Bg.  Now  given  a  ciphertext  C  = 
Encrypt(PK,  X,  Msg)  such  that  X  B0,  Bi, . . . ,  B?,  the  adversary  cannot  leam  X  or  Msg 
from  C.  Of  course,  since  the  adversary  fails  to  decrypt  C  using  keys  for  regions  B0,  Bi, . . . ,  Bg, 
the  adversary  inevitably  learns  that  the  point  X  encrypted  does  not  fall  within  these  regions.  But 
apart  from  this  fact,  the  adversary  cannot  learn  more  information  about  X  or  Msg. 

We  now  formalize  this  intuition  into  a  selective  security  game  for  MRQED.  In  particular,  we 
will  prove  the  security  of  our  construction  under  the  selective ,  match-revealing  model.  Here,  se¬ 
lective  security  notion  is  similar  to  the  selective-ID  security  for  IBE  schemes  [3,  14,  15].  As 
mentioned  in  Sectionl2.1.1l  a  stronger  notion  of  security  is  match-concealing,  adaptive  security. 

Below,  we  state  the  formal  definition  of  security  in  the  selective,  match-revealing  model.  Note 
that  the  security  definitions  for  MRQED  can  be  inferred  from  the  security  definition  for  general 
predicate  encryption  given  in  Section  12.1.11  However,  for  clarity,  we  now  state  it  again  in  the 
context  of  multi-dimensional  range  queries. 


Definition  3.1.3  (MR-selective  security)  An  MRQED  scheme  is  selectively  secure  in  the  match- 
revealing  (MR)  model  if  all  polynomial-time  adversaries  have  at  most  a  negligible  advantage  in 
the  selective  security  game  defined  below. 


•  Init:  The  adversary  submits  two  points  Xg,  X^  e  La  where  it  wishes  to  be  challenged. 

•  Setup:  The  challenger  runs  the  Setup(X,LA)  algorithm  to  generate  PK,  SK.  It  gives  PK 
to  the  adversary,  keeping  SK  secret. 

•  Phase  1:  The  adversary  adaptively  issues  decryption  key  queries  for  hyper-rectangles: 


Bi ,  B2,  •  •  •  j  Bg0 

Furthermore,  Xg  and  X*  are  not  contained  in  any  hyper-rectangles  queried  in  this  phase,  i.e., 
for  0  <  i  <  g0,  Xg  B*,  and  X];  f  B;. 
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•  Challenge:  The  adversary  submits  two  equal  length  messages  Msg0,  Msg,  e  M.  The 
challenger  flips  a  random  coin,  b,  and  encrypts  Msgy  under  X£.  The  ciphertext  is  passed  to 
the  adversary. 

•  Phase  2:  Phase  1  is  repeated.  The  adversary  adaptively  issues  decryption  key  queries  for 
hyper-rectangles  B?0+i,  B,/0+2, ... .  B,r  As  before,  all  hyper-rectangles  queried  in  this  stage 
must  not  contain  Xg  and  XJ. 

•  Guess:  The  adversary  outputs  a  guess  b'  of  b. 

An  adversary  .4,’s  advantage  in  the  above  game  is  defined  as  Adv^(S)  =  |Pr[6  =  b']  —  ||. 


3.2  A  First  Attempt  to  Construct  MRQED 


3.2.1  Trivial  construction 


We  first  give  a  trivial  construction  for  one-dimensional  range  query  over  encrypted  data.  We  refer 
to  one-dimensional  range  query  over  encrypted  data  as  MRQED1  where  the  superscript  represents 
the  number  of  dimensions. 

In  the  trivial  MRQED1  construction,  we  make  use  of  any  secure  public  key  encryption  scheme. 
We  first  generate  0{T 2)  public-private  key  pairs,  one  for  each  range  [s,  t]  C  [1,  T],  To  encrypt  a 
message  Msg  under  a  point  x,  we  produce  0(T 2)  ciphertexts,  one  for  each  range  [s,  t]  C  [1,  T], 
In  particular,  if  x  E  [s,  t],  we  encrypt  Msg  with  public  key  pks  t;  otherwise,  we  encrypt  an  invalid 
message  _L  with  pks  t.  The  decryption  key  for  any  range  [s,  t]  is  then  sks  t,  the  private  key  for  [s,  t]. 

We  now  give  a  formal  description  of  the  above  construction  for  one-dimensional  range  queries. 
Let  AS  =  {JC.S .  V)  denote  a  secure  public  key  encryption  scheme.  /C.  S.  V  represent  the  key 
generation,  encryption  and  decryption  algorithm  respectively.  We  build  a  MRQED1  scheme  based 
on  AS  as  below. 

•  During  Setup,  one  runs  /C,  the  key  generation  algorithm,  0(T2)  times  to  generate  the  fol¬ 
lowing  public  and  private  keys: 


PK  =  jpkst|l  <  s  <  t  <  T }  ,  SK  =  |skst|l  <  s  <  t  <  T} 


•  To  encrypt  a  pair  (Msg,  x)  where  a;  is  a  point  between  1  and  T,  first  define  for  1  <  s  <  t  <  T 


where  _L  denotes  the  “invalid  message”.  Now  one  runs  the  encryption  algorithm  S,  and  for 
all  ranges  [s,t]  ^  [1,  T],  one  encrypts  <5^ (Msg,  x)  under  pks  t.  The  result  of  encryption  is  a 
tuple  of  length  T2,  denoted  (cip,  ci>2, . . . ,  ct,t)- 

•  To  release  a  decryption  key  DKSit  for  range  [s,  t]  C  [1,  T],  one  releases  the  key  sks>t. 

•  To  decrypt  a  ciphertext  C  =  (ci) i,  cl)2, . . . ,  ct,t)  with  DKs  t,  one  uses  DKS  (  to  decrypt  cs>t. 
Decryption  either  yields  _L,  if  the  point  x  encrypted  does  not  fall  within  the  range  [s,  /:] ;  or  it 
yields  the  message  Msg,  if  x  falls  within  [s,  t] . 
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(a)  The  path  from  a  leaf  to  the  (b)  A  ciphertext  and  a  decryption  key  in  MRQED1. 

root. 


Figure  3.1:  An  MRQED1  scheme,  (a)  Path  from  the  leaf  node  representing  x  £  [T]  to  the  root.  P(.x)  = 
{ 1 1)  \.  ID2,  ID3,  ID±\.  (b)  Encryption  under  the  point  x  =  3  and  the  keys  released  for  the  range  [3,  7]. 


Clearly,  the  trivial  MRQED1  construction  results  in  0(T2)  public  key  size,  0(T2)  encryption 
overhead  and  ciphertext  size,  0(1)  decryption  key  size  and  0(1)  decryption  cost. 

One  can  easily  extend  the  trivial  construction  into  multiple  dimensions.  The  resulting  MRQED11 
scheme  requires  that  one  encrypt  5b  (Msg,  X)  for  all  hyper-rectangles  B  in  space.  Therefore,  the 
trivial  MRQED11  scheme  has  0(T2D)  public  key  size,  0(T2D)  encryption  cost  and  ciphertext  size, 
0(1)  decryption  key  size  and  0(1)  decryption  cost. 


3.2.2  Improved  MRQED1  construction  based  on  AIBE 

We  show  an  improved  MRQED  construction  based  on  Anonymous  Identity-Based  Encryption 
(AIBE).  For  clarity,  we  first  explain  the  construction  for  one  dimension.  We  call  the  scheme 
MRQED1  where  the  superscript  denotes  the  number  of  dimensions.  We  note  that  the  primitives 
and  notations  introduced  in  this  section  will  be  used  in  our  main  construction. 


Primitives:  Efficient  Representation  of  Ranges 

To  represent  ranges  efficiently,  we  build  a  binary  interval  tree  over  integers  1  through  T. 

Definition  3.2.1  (Interval  tree)  Let  tr(T)  denote  a  binary  interval  tree  over  integers  from  1  to  T. 
Each  node  in  the  tree  has  a  pre-assigned  unique  ID.  For  convenience,  we  define  tr(T)  to  be  the  set 
of  all  node  IDs  in  the  tree.  Each  node  in  tr(T)  represents  a  range.  Let  cv(I  D)  denote  the  range 
represented  by  node  ID  £  tr(T).  Define  cv(ID)  as  the  following:  Let  ID  be  the  ith  leaf  node, 
then  cv ( I D )  =  1.  Otherwise,  when  ID  is  an  internal  node,  let  ID  \  and  I D2  denote  its  child  nodes, 
then  cv(ID)  =  cv(ID  1)  U  cv(ID2).  In  other  words,  cv(ID)  is  the  set  of  integers  that  correspond 
to  the  leaf  descendants  of  ID. 

Given  the  interval  tree  tr(T),  we  define  the  P(x)  of  ID s  covering  a  point  x  £  [1,  T ],  and  the 
set  A(x)  of  IDs  representing  a  range  [s,t]  C  [1,  T], 

•  Set  of  IDs  covering  a  point  x.  For  a  point  x  £  [1,  T }  and  some  node  ID  £  tr(T),  we 
say  that  ID  covers  the  point  x  if  x  £  cv(ID).  Define  P(x)  to  be  the  set  of  IDs  covering 
point  x.  Clearly,  P(x)  is  the  collection  of  nodes  on  the  path  from  the  root  to  the  leaf  node 
representing  x.  As  an  example,  in  Figure |3T] (a),  P(x)  =  {IDi,  ID2,  ID3,  ID4}. 
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•  Range  as  a  collection  of  IDs.  A  range  [s,t]  C  [1  ,  T]  is  represented  by  a  collection  of 
nodes:  A (s,t)  C  tr (T).  We  define  A (s,  £)  to  be  the  smallest  of  all  subsets  V  C  tr(T)  such 
that  (J IDeYc\/ (ID)  =  [s,  f] .  It  is  not  hard  to  see  that  for  any  [s,t]  C  [1,  T],  A(s,  t)  is  uniquely 
defined,  and  its  size  |A(s,  t)  \  is  at  most  O(logT). 

We  will  make  use  of  the  following  properties  in  our  AIBE-based  construction:  If  x  G  [s,t], 
then  P(x)  D  A (s,t)  ^  0;  in  addition,  P(x)  and  A (s,t)  intersect  at  only  one  node.  Otherwise,  if 
x  ^  [s,  t],  then  P(x)  fl  A(s,  t)  =  0. 

AIBE-Based  MRQED1  Scheme 

AIBE  encrypts  a  message  Msg  using  an  identity  ID  as  the  public  key.  Given  the  private  key 
for  ID,  one  can  successfully  decrypt  all  messages  encrypted  by  identity  ID.  The  encryption 
scheme  protects  both  the  secrecy  of  the  message  Msg  and  the  identity  ID  in  the  following  sense: 
Given  ciphertext  C,  which  is  an  encryption  of  Msg  by  identity  ID0,  and  given  decryption  keys 
for  identities  IDi,  ID2 , . . . ,  IDq  but  not  for  ID0,  a  computationally  bounded  adversary  cannot 
leam  anything  about  Msg  or  about  ID0  from  the  ciphertext  C.  Researchers  have  successfully 
constructed  secure  AIBE  schemes  111 Ll3|]  with  0(1)  cost  in  all  respects:  in  public  parameter  size, 
encryption  cost,  ciphertext  size,  decryption  key  size  and  decryption  cost. 

Given  a  secure  AIBE  scheme,  we  can  construct  an  MRQED1  scheme  based  on  the  following 
intuition.  To  encrypt  the  message  Msg  under  point  x,  we  encrypt  Msg  under  all  IDs  in  P(x).  To 
release  the  decryption  key  for  a  range  [s,  t]  C  [1,  T ],  we  release  the  keys  for  all  IDs  in  A(s,  t). 
Now  if  x  G  [s,  t],  then  P(x)  flA(s,  t)  ^  0.  Suppose  P(x)  and  A(s,  t)  intersect  at  node  ID.  Then  we 
can  apply  the  decryption  key  at  JO  to  the  ciphertext  encrypted  under  ID,  and  obtain  the  plaintext 
message  Msg.  Otherwise,  if  x  ^  [s,t],  then  P(x)  fl  A(s,  t)  =  0.  In  this  case,  the  security  of 
the  underlying  AIBE  scheme  ensures  that  a  computationally  bounded  adversary  cannot  leam  any 
information  about  the  message  Msg  or  the  point  x,  except  for  the  obvious  fact  (since  decryption 
fails)  that  x  £  [s,  t]. 

Example.  In  Figure  13.  lib),  we  show  a  ciphertext  C  encrypted  under  the  point  x.  Let  L  = 
O(logT)  denote  the  height  of  the  tree,  C  is  composed  of  O(logT)  components:  {ci,  c2, . . . ,  cl}. 
On  the  right,  we  show  the  decryption  keys  for  the  range  [3,7].  Since  [3,  7]  can  be  represented  by  the 
set  of  nodes  A(3,  7)  =  {ID a,  IDb ,  IDC},  the  decryption  key  for  [3,  7]  consists  of  three  sub-keys, 
k/£>A>  k idb  and  k iDc- 

The  AIBE-based  construction  has  0(1)  public  key  size,  0(|P(x)|)  encryption  cost  and  cipher- 
text  size,  and  0(|A(s,  t)\)  decryption  key  size.  Since  |P(x)|  =  O(logT),  and  |A(s,  t)\  —  O(logT), 
we  get  O(logT)  in  encryption  cost,  ciphertext  size,  and  decryption  key  size.  Later,  we  will  show 
that  decryption  can  be  done  in  O(logT)  time  as  well. 

Stated  more  formally,  given  a  secure  AIBE  scheme  denoted: 

Setup*(E),  DeriveKey*(PK,  SK,  ID),  Encrypt*(PK,  ID,  Msg),  Decrypt* (PK,  DK,  C), 

one  can  construct  a  secure  MRQED1  scheme  as  below: 

•  Setup(£,  T)  calls  Setup*(£)  and  outputs  PK  and  SK. 
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•  Encrypt(PK,  x,  Msg)  encrypts  the  message  Msg  under  every  ID  E  P(x).  In  other  words, 
Encrypt  yields  C  =  {cid\ID  E  P(x)},  where  cID  =  Encrypt*(PK,  ID,  Msg| |0m/).  To 
check  whether  a  decryption  is  valid,  prior  to  encryption,  we  append  m!  trailing  Os  denoted 
0m'  to  message  Msg  E  {0,  l}m. 

•  DeriveKey(PK,  SK,  [s,  t])  releases  a  decryption  key  kID  for  each  ID  E  A (s,  £).  kID  is 
computed  as  k/D  =  DeriveKey*(PK,  SK,  ID).  The  entire  decryption  key  for  the  range 
[s,  t]  is  then  the  set  DKsf  =  |k/D  |  ID  E  A (s,  £)}. 

•  QueryDecrypt(PK,  DK,  C)  tries  each  key  k/^  E  DKs  t  on  each  ciphertext  cid'  €  C.  If 
ID  =  ID',  then  Decrypt*  (PK,  k id,cid')  yields  result  of  the  form  Msg||0m\  In  this  case, 
we  accept  the  result  and  exit  the  QueryDecrypt  algorithm.  If  all  trials  fail  to  yield  result 
of  the  form  Msg|  |0m\  QueryDecrypt  outputs  _L,  indicating  failure  to  decrypt. 

Note  that  in  the  AIBE-based  construction,  if  we  simply  try  all  decryption  keys  over  all  cipher- 
texts,  then  decryption  would  require  0(|P(x)  |  •  |  A(s,  t)  |)  time;  since  |P(z)|  =  O(logT), \A(s,t)\  = 
O(logT),  decryption  would  require  0( log2  T )  time.  However,  observe  that  it  is  not  necessary  to 
try  kjn  on  c / n> ,  if  / 1)  and  ID'  are  at  different  depth  in  the  tree;  since  then,  ID  and  ID'  cannot  be 
equal.  Thus  we  only  need  to  try  kID  on  c r r)>  if  ID  and  ID'  are  at  the  same  depth  in  the  tree,  which 
requires  knowledge  of  the  depth  of  ID'  for  ciphertext  cm1-  Of  course,  we  cannot  directly  release 
ID'  for  ciphertext  cid>,  since  the  encryption  is  meant  to  hide  ID' .  However,  since  each  ciphertext 
C  has  a  portion  at  every  depth  of  the  tree,  we  can  give  out  the  depth  of  ID'  for  each  cid>  €  C 
without  leaking  any  information  about  ID' .  In  this  way,  we  reduce  the  decryption  cost  to  O(logT) 
rather  than  0(log2  T ). 

We  emphasize  that  using  AIBE  as  the  underlying  encryption  scheme  is  crucial  to  ensuring 
the  security  of  the  derived  MRQED1  scheme.  In  particular,  a  non-anonymous  IBE  scheme  is  not 
suitable  to  use  as  the  underlying  encryption  scheme,  since  IBE  hides  only  the  message  Msg  but 
not  the  attribute  x. 

3.2.3  AIBE-Based  MRQED15  Construction 

The  same  idea  can  be  applied  to  construct  an  MRQED/;  scheme,  resulting  in  0(1)  public  key 
size,  O  ((logT)D)  encryption  cost,  ciphertext  size,  decryption  key  size,  and  decryption  cost.  The 
details  of  this  construction  is  not  crucial  to  the  understanding  of  our  main  construction.  However, 
in  describing  this  construction,  we  highlight  a  few  important  definitions,  including  the  notion  of 
a  simple  hyper-rectangle,  and  the  definition  of  Ax  (B).  These  definitions  will  later  be  used  in  our 
main  construction. 

We  build  D  binary  interval  trees,  one  for  each  dimension.  We  assign  a  globally  unique  ID  to 
each  node  in  the  D  trees. 


Representing  a  hyper- rectangle.  We  represent  an  arbitrary  hyper-rectangle  as  a  collection  of 
simple  hyper-rectangles.  To  illustrate  this  idea,  we  first  give  a  formal  definition  of  a  simple  hyper¬ 
rectangle,  and  then  state  how  to  represent  an  arbitrary  hyper-rectangle  as  a  collection  of  simple 
hyper-rectangles.  Simply  put,  a  simple  hyper-rectangle  is  a  hyper-rectangle  B0  in  space,  such  that 
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B0  can  be  represented  by  a  single  node  in  the  tree  of  every  dimension.  More  specifically,  a  hyper¬ 
rectangle  B(si,  ti, . . . ,  sD,  tD)  in  space  is  composed  of  a  range  along  each  dimension.  If  for  all 
1  <  d  <  D,  |A(sd,  td)  =  1,  i.e.,  [sd,  td]  is  a  simple  range  in  the  dth  dimension,  then  we  say  that 
the  hyper-rectangle  . . . ,  ,so.  to)  is  a  simple  hyper-rectangle.  A  simple  hyper-rectangle 

can  be  defined  by  a  single  node  from  each  dimension.  We  can  assign  a  unique  identity  to  each 
simple -rectangle  B0(si,  ti, . . . ,  sD,  tD)  in  space.  Define 

idB0  =  (IDi,  ID2, . . . ,  IDd)  , 

where  IDd{  1  <  i  <  D)  is  the  node  representing  \sd,  td }  in  the  dth  dimension. 

Definition  3.2.2  (Hyper-rectangle  as  a  collection  of  simple  hyper-rectangles)  Given  an  hyper- 
rectangle  SD,tD),  denote  Ad(B)  :=  A(sd,td)  for  d  £  [D].  A(B)  is  the  collection  of 

nodes  representing  range  \sd,  td\  in  the  dth  dimension.  The  hyper-rectangle  B  can  be  represented 
as  a  collection  AX(B)  of  simple  hyper-rectangles: 

AX(B)  =  Ai(B)  x  A2(B)  x  ...  x  Ad(B) 

In  particular,  for  every  id  £  AX(B),  id  is  a  vector  of  the  form  (IDi,  ID2, . . . ,  IDd ),  where  IDd 
(d  £  1 1)  | )  is  a  node  in  the  tree  corresponding  to  the  dth  dimension.  Therefore,  id  uniquely  specifies 
a  simple  hyper-rectangle  B0  in  space. 

Clearly,  |AX(B)|  =  0((logT)D);  in  addition,  AX(B)  can  be  efficiently  computed.  Given  the 
above  definitions,  we  briefly  describe  the  AIBE-based  MRQEDd  construction. 


Encryption.  Suppose  that  now  we  would  like  to  encrypt  a  message  Msg  and  the  point  X  = 
(xi,  x2:  ■  •  • ,  xD).  We  encrypt  the  message  Msg  under  all  simple  hyper-rectangles  that  contain  the 
point  X  =  (xi,  x2,  •  •  • ,  xD).  This  is  equivalent  to  encrypting  Msg  under  the  cross-product  of  D 
different  paths  to  the  root.  Specifically,  for  d  £  [D],  denote  Prf(X)  :=  P(xrf).  Pd(X)  is  the  path 
from  the  root  to  the  leaf  node  representing  xd  in  the  dth  dimension.  Define  the  cross-product  of  all 
I)  different  paths  to  the  root: 

Px(X)  =  Px(X)  x  P2(X)  x  ...  x  PjD(X). 

Then,  to  encrypt  Msg  and  X,  we  use  AIBE  to  encrypt  Msg  under  every  id  £  PX(X).  Since 
|PX  (X)  |  =  O  ((logT)D),  both  encryption  cost  and  ciphertext  size  are  O  ((log  T)D). 

Key  derivation  and  decryption.  To  issue  decryption  keys  for  a  hyper-rectangle  B,  we  issue 
a  key  for  every  id  £  AX(B).  Since  |AX(B)|  =  0((logT)D),  the  decryption  key  has  size 
O  ((log T)d).  Now  if  X  e  B,  then  PX(X)  D  AX(B)  f  0;  in  addition,  PX(X)  and  AX(B)  in¬ 
tersect  at  exactly  one  simple  hyper-rectangle  idBo,  where  the  keys  and  the  ciphertexts  overlap.  In 
this  case,  we  use  the  key  for  idBo  to  decrypt  the  ciphertext  for  idBo.  Otherwise,  if  X  f  B.  then 
PX(X)  (T  AX(B)  =  0.  In  this  case,  the  security  of  the  underlying  AIBE  schemes  ensures  the 
security  of  the  MRQEfW  constructions. 
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3.3  The  Main  MRQED  Construction 


In  Section  13.2.31  we  showed  an  AIBE-based  MRQEDz;  construction  with  0(1)  public  key  size, 
O  ((log T)D)  encryption  cost  and  ciphertext  size,  O  ((log T) ,))  decryption  key  size  and  decryp¬ 
tion  cost.  In  this  section,  we  propose  a  new  MRQED^  construction  with  O  (D  log  T)  public 
key  size,  O  (D  log  T)  encryption  cost  and  ciphertext  size,  O  (D  log  T)  decryption  key  size,  and 
O  ((logT)15)  decryption  cost. 

Our  main  MRQED  construction  is  relies  on  bilinear  groups  of  prime  order.  Therefore,  we 
begin  by  giving  some  background  knowledge  on  pairing  and  bilinear  groups. 


3.3.1  Background  on  bilinear  groups 

A  pairing  is  an  efficiently  computable,  non-degenerate  function,  e  :  G  x  G  — *  G',  satisfying 
the  bilinear  property  that  e(gr,gs)  =  c(g,?j)r'\  G,  G  and  G'  are  all  groups  of  prime  order,  g, 
g  and  e(g,g)  are  generators  of  G,  G  and  G'  respectively.  Although  our  MRQED  scheme  can  be 
constructed  using  asymmetric  pairing,  for  simplicity,  we  describe  our  scheme  using  symmetric 
pairing  in  the  remainder  of  this  thesis  proposal,  i.e.,  G  =  G. 

We  name  a  tuple  G  =  [p,  G,  G',  g,  e]  a  bilinear  instance,  where  G  and  G'  are  two  cyclic  groups 
of  prime  order  p.  We  assume  an  efficient  generation  algorithm  that  on  input  of  a  security  parameter 
E,  outputs  G  Gen(E)  where  log2p  =  0(E). 

We  rely  on  the  following  complexity  assumptions: 


Decision  BDH  Assumption  :  The  Decision  Bilinear  DH  assumption,  first  used  by  Joux  [27], 
later  used  by  IBE  systems  |8],  posits  the  hardness  of  the  following  problem:  Given 

[9.<f‘.9“,9's.Z]e  G4xG' 

where  exponents  z4,  z2,  z3  are  picked  at  random  from  Zp,  decide  whether  Z  =  e(g,  g)ZlZ2Z3. 


Decision  Linear  Assumption  :  The  Decision  Linear  assumption,  first  proposed  by  Boneh, 
Boyen  and  Shacham  for  group  signatures  [5],  posits  the  hardness  of  the  following  problem:  Given 
\g,  <fx.  gZ2,  gzlZ3,  gZ2Z4 .  Z]  G  G6,  where  zi,  z2,  z3,  z4  are  picked  at  random  from  Zp,  decide  whether 

Z  =  gz  3+Zi. 


3.3.2  Intuition 

We  build  D  interval  trees  over  integers  from  1  to  T,  each  representing  a  separate  dimension. 
Assume  each  tree  node  has  a  globally  unique  ID.  In  the  previous  section,  we  showed  a  naive 
construction  for  MRQED /;  based  on  AIBE.  This  naive  construction  encrypts  Msg  under  the 
0((\ogT)D)  simple  hyper-rectangles  that  contain  the  point  X;  and  releases  decryption  keys  for 
the  0((logT)D)  simple  hyper-rectangles  that  compose  a  hyper-rectangle  B.  Our  goal  is  to  re¬ 
duce  the  ciphertext  size  and  decryption  key  size  to  0(D  log  T)  instead.  However,  as  we  will  soon 
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explain,  naively  doing  this  introduces  the  collusion  attack  as  shown  in  Figure |T2(b).  Our  main 


Figure  3.2:  An  MRQED2  scheme,  (a)  Encryption  under  the  point  x  =  (3,  5)  and  the  keys  released  for  the 
range  [2, 6]  X  [3,  7].  (b)  With  decryption  keys  kx\,  ky\  for  region  If  and  k  ,2 ,  ky2  for  region  II4,  regions  i?2 
and  II4  are  compromised. 


Reducing  the  ciphertext  size.  In  other  words,  rather  than  encryption  Msg  for  each  simple 
hyper-rectangle  in  PX(X)  =  Pi(X)  x  . . .  x  PD(X),  we  would  like  to  encrypt  Msg  for  each 
tree  node  in  the  the  union  of  these  D  different  paths: 

PU(X)  =P1(X)U...UPD(X). 

Reducing  the  decryption  key  size.  Instead  of  representing  an  arbitrary  hyper-rectangle  using 
the  collection  of  simple  hyper-rectangles,  we  can  represent  a  simple  hyper-rectangle  B  as  the 
collection  of  disjoint  intervals  over  different  dimensions: 

Definition  3.3.1  (Hyper-rectangle  as  a  collection  of  nodes)  A  hyper-rectangle  B  C  La  gives  a 
collection  of  nodes  corresponding  to  disjoint  intervals  over  different  dimensions: 

AU(B)  =  Ai(B)  U  A2(B)  U  . . .  U  Ad(B) 

Note  that  for  all  hyper-rectangle  B  C  LA,  |AU(B)|  =  0(D  log  T);  in  addition,  AU(B)  can  be 
computed  efficiently. 

With  the  above  definition,  rather  than  releasing  keys  for  each  simple  hyper-rectangle  in  Ax  (B)  = 
Ai(B)  x  ...  x  A/)(B),  we  would  like  to  release  keys  for  each  ID  in  Ai(B)  U  . . .  U  Ao(B). 

Example.  Figure  [Of  af  is  an  example  in  two  dimensions.  To  encrypt  under  the  point  (3,  5),  we 
find  the  path  from  the  leaf  node  3  to  the  root  in  the  first  dimension,  and  the  path  from  the  leaf  node 
5  to  the  root  in  the  second  dimension.  We  then  produce  a  block  in  the  ciphertext  corresponding 
to  each  node  on  the  two  paths.  In  the  first  dimension,  we  produce  blocks  ci,  c2,  c3  and  c4.  In  the 
second  dimension,  we  produce  blocks  c5,  c6,  c7  and  c8.  To  release  decryption  keys  for  the  range 
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[2,  6]  x  [3,  7],  we  find  a  collection  A(2,  6)  of  nodes  covering  the  range  [2,  6]  in  the  first  dimension; 
and  a  collection  A(3,  7)  of  nodes  covering  [3,  7]  in  the  second  dimension.  We  issue  a  block  in  the 
decryption  key  corresponding  to  each  node  in  A(2,  6)  and  in  A(3,  7).  In  the  first  dimension,  we 
create  blocks  kj da  ,  k1Dg,  and  kIDc;  and  in  the  second  dimension,  we  create  blocks  kIDo,  kIDE, 
and  kIDp. 


Preventing  the  collusion  attack.  Unfortunately,  naively  doing  the  above  is  equivalent  to  apply¬ 
ing  the  AIBE-based  MRQED1  scheme  independently  in  each  dimension.  As  we  demonstrate  in 
Figure  1221(b),  such  a  scheme  is  susceptible  to  the  collusion  attack.  Suppose  that  Figure  lA2llbl. 
every  rectangle  is  a  simple  rectangle.  Now  suppose  that  an  adversary  were  given  the  decryp¬ 
tion  keys  for  region  R\  and  R4.  then  the  adversary  would  have  collected  keys  km  =  { k,. , ,  ky, }, 
k  fi4  =  { k,;2,  k,y2}.  With  these,  the  adversary  would  be  able  to  reconstruct  the  keys  for  ID  and 
R3:  kB2  =  {kX2,k.yi},  kra  =  {kxi,k:y2}.  Hence,  our  major  challenge  is  to  find  a  way  to  se¬ 
cure  against  the  collusion  attack  without  incurring  additional  cost.  We  use  a  binding  technique 
to  prevent  the  collusion  attack:  we  use  re-randomization  to  tie  together  the  sub-keys  in  different 
dimensions.  For  example,  in  Figure [T~2l  (b).  when  we  release  the  decryption  key  for  region  R \ , 
instead  of  releasing  {k.rl,  kyi },  we  release  {/7.,.krl .  /7?y ky , },  where  Jlx  and  jiy  are  random  numbers 
that  we  pick  each  time  we  issue  a  decryption  key.  Fikewise,  when  releasing  the  key  for  region  f?4, 
we  release  {plx  kx2,  /7'/ky2},  where  JRX  and  ji'y  are  two  random  numbers  picked  independently  from 
Jlx  and  jiy.  Of  course,  in  the  real  construction,  Jlx  and  Jly  (  Jl'x  and  pi )  also  need  to  satisfy  certain 
algebraic  properties  (e.g.,  Jl:rJly  =  JlxJly  =  some  invariant)  to  preserve  the  internal  consistency  of 
our  scheme.  In  this  way,  components  in  the  decryption  key  for  R4  cannot  be  used  in  combination 
with  components  in  the  decryption  key  for  R4. 

3.3.3  The  Main  Construction 

We  are  now  ready  to  describe  our  construction.  Define  L  =  0(log  T)  to  represent  the  height  of  a 
tree.  Assume  that  node  IDs  are  picked  from  Z*.  We  append  a  message  Msg  e  {0,  l}m  with  a 
series  of  trailing  zeros,  0r"/ ,  prior  to  encryption.  Assume  that  {0, 1  }r"+m/  c  G'. 


Setup) £.  La)  To  generate  public  parameters  and  the  master  private  key,  the  setup  algorithm 

first  generates  a  bilinear  instance  G  =  [p,  G,  G' ,  g.  e]  <—  Gen(E).  Then,  the  setup  algorithm  does 
the  following. 

1.  Select  at  random  the  following  parameters  from  Z®Z)L+1: 

k-h  Pip, Pip, 2i  @ip,2i  @^,2]  <p=(d,l ) 

e[D]x[L] 

In  addition,  we  require  that  the  q:’s  and  the  T’s  be  forcibly  non-zero.  At  this  point,  we  give  a 
brief  explanation  of  our  notation.  The  variable  ip  is  used  to  index  a  tuple  ( d ,  l )  e  [ D ]  x  [L\, 
where  d  denotes  the  dimension  and  l  denote  the  depth  of  a  node  in  the  corresponding  tree. 
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2.  Publish  G  and  the  following  public  parameters  PK  E  G'  x  G8DL: 


.  .  \h) 


if=(d,i)e 
[D]  x  [L] 


3.  Retain  a  master  private  key  SK  E  G8DL+1  comprising  the  following  elements: 


u 


ip=(d,l) 
6  [D]x[L] 


Notice  that  in  the  public  parameters  and  the  master  key,  we  have  different  versions  of  the 
same  variable,  e.g.,  aVj i,  a¥>i 2,  1;  2.  Although  they  seem  to  be  redundant,  they  are  ac¬ 
tually  needed  to  provide  sufficient  degrees  of  randomness  for  our  proof  to  go  through.  The 
reasons  for  having  these  different  versions  will  become  clear  once  the  reader  has  gone  over 
the  detailed  proof  provided  in  Section  1X71 

DeriveKey(PK,  SK,  B)  The  following  steps  compute  the  decryption  key  for  hyper-rectangle 
B,  given  public  key  PK  and  master  private  key  SK. 


1.  Pick  0(D  ■  L )  random  integers  from  GD  x  Zp  A 


such  that  n*^]  fid  =  The  reason  for  having  an  overhead  tilde  for  the  variable  Jid  is 
to  associate  it  with  the  variable  u,  since  they  both  belong  to  the  group  G,  and  they  satisfy 
the  condition  that  rLe[D]  fid,  =  We  note  that  the  random  JLd  s  generated  in  this  stage  are 
later  used  to  re-randomize  the  components  of  the  decryption  key.  In  this  way,  components 
in  different  dimensions  are  tied  to  each  other;  and  components  from  one  decryption  key 
cannot  be  used  in  combination  with  components  from  another  decryption  key.  This  is  how 
we  prevent  the  collusion  attack  as  shown  in  Figure [3~2l(b). 

2.  Compute  and  release  a  decryption  key  DK  e  G5IaU^b^.  DK  is  composed  of  a  portion 
DK(ID)  for  each  ID  G  AU(B).  In  the  following  definition  for  DK(I'P),  ip  =  (d,l)  = 
$(ID)  represents  the  dimension  and  depth  of  node  ID:  without  risk  of  ambiguity,  denote 
Ai  =  Xid,i,  X2  =  A  id, 2-  DK  (ID)  is  defined  below: 
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Observe  that  we  release  a  portion  of  the  decryption  key  for  each  node  in  Au(£>),  as  opposed 
to  for  each  hyper-rectangle  in  Ax(£>).  In  this  way,  the  size  of  the  private  key  is  O(DL), 
instead  of  0(LD).  Also  observe  that  we  multiply  the  first  element  of  DK(7/))  by  Jld.  This 
illustrates  the  binding  technique  used  to  tie  together  components  in  different  dimensions.  In 
this  way,  components  in  one  decryption  key  cannot  be  used  in  combination  with  components 
in  another  decryption  key;  therefore,  we  successfully  prevent  the  collusion  attack. 


Encrypt(PK,  X,  Msg)  We  create  a  block  in  the  ciphertext  for  every  ID  G  PU(X).  Equiva¬ 
lently,  for  each  dimension  d  and  depth  l,  denote  p  =  (d.  l ),  we  create  a  portion  of  the  ciphertext 
corresponding  to  the  node  lv,  residing  in  the  dth  tree  at  depth  l,  on  the  path  Pd(X)  to  the  root.  We 
now  describe  the  Encrypt  algorithm  in  the  following  steps: 

1.  Select  2 DL  +  1  random  integers:  select  r  eRZp,  select  [r^,  Gj?  Z?pDL . 

2.  For  p  =  (d,  l )  G  [ D\  x  [L\,  define  =  JV(X),  i.e.,  the  node  at  depth  l  in  Pd(X)  in  the  dth 
dimension.  Now  compute  and  output  the  following  ciphertext  CeG'x  G4DL+1: 


if=(d,i)e 
[D]  x  [L] 


gr , 


(Msg|  |om/)  •  n 

(h  Dh'  ^■1  (n  TVn'  \r~r^1 

\pip,l  Otp,l)  J  \afP  aif,  l) 

(h  XVh'  (n  Dn'  \r~r^’2 

2  0(p,2)  >  2  aip,2 ) 


QueryDecrypt(PK,  DK,  C)  We  first  give  an  overview  on  how  QueryDecrypt  works.  Re¬ 
call  that  a  decryption  key  DK  =  {DK(/fi)  |  ID  e  AU(B)  j  is  composed  of  a  portion  DK  (ID) 
for  each  ID  e  AU(B).  We  now  reconstruct  a  decryption  key  for  each  simple  hyper-rectangle 
idB0  G  AX(B)  as  below.  We  grab  from  DK  a  sub-key  from  each  dimension:  for  each  d  G  [D], 
grab  a  sub-key  DK {IDd)  from  the  dth  dimension,  where  IDd  G  Ad(B).  The  collection  of  sub-keys 
(DK(JDi),  DK (ID2),  •  •  • ,  DK (IDd)}  can  now  be  jointly  used  to  decrypt  a  message  encrypted 
under  the  simple  hyper-rectangle  idBu  =  (IDi,..  .,IDd). 

We  also  need  to  find  the  correct  blocks  in  the  ciphertext  to  apply  this  key  for  idB().  Recall 
that  the  ciphertext  is  of  the  form  C  =  (c,  c0,  [cV) i,  2,  cVi 3,  CvA<p=(.d,i)e[D]x{L})  •  For  convenience, 
denote  cp  :=  [c^i,  c^,  cVi4]  for  p  =  ( d,l )  G  [D]  x  [L\.  cp  is  the  block  in  the  ciphertext 
corresponding  to  a  node  in  the  dth  dimension  and  at  depth  l  of  the  tree.  Define  $  (ID)  (d.l)  to 
extract  the  dimension  and  depth  of  the  node  ID.  Now  for  a  sub-key  DK(/D),  define  p  = 
it  is  not  hard  to  see  that  DK  (ID)  should  be  used  in  combination  with  the  block  cv  in  the  ciphertext. 

The  following  algorithm  iterates  through  the  simple  hyper-rectangles  in  AX(B)  and  checks  if 
the  ciphertext  can  decrypt  to  a  valid  message  under  each  simple  hyper-rectangle  in  Ax  (B). 

For  each  simple  hyper-rectangle  A x  (B0)  =  {(IDi,  ID2, . . . ,  IDd)}  C  Ax(B), 

(1)  FetDK {IDd)  =  (k/Ddlo,  k/Ddli,  2,  3,  k/Dd, 4)  represent  the  element  in  DK  for  IDd, 

where  d  G  [D]. 

(2)  Try  to  decrypt  C  under  B0  with  the  collection  {DK(TDi),  DK (ID2), . . . ,  DK (IDd)}  of 
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sub-keys: 


n 

d£[D], 

‘Pd=^,iIDd) 


e(c0,  kiDd,o)-e(cipdii,  kiDd,i)-e(clfd!2,  kIDd:2)-e(clfdt 3,  kIDdt3)- e{cVd^  k iDdA) 


If  V  is  of  the  form  Msg|  \0m' ,  then  output  Msg  as  the  decrypted  plaintext  and  exit. 

If  for  all  simple  hyper-rectangles  in  AX(B),  the  previous  step  fails  to  produce  the  plaintext,  then 
output  _L. 

When  done  naively,  the  above  QueryDecrypt  algorithm  takes  0(D(\ogT)D )  time.  How¬ 
ever,  if  one  saves  intermediate  results,  it  can  be  done  in  0((log  T)D)  time  with  0(D  log  T )  storage. 
The  above  numbers  takes  into  account  all  group  operations,  include  multiplication,  exponentiation 
and  bilinear  pairing.  However,  since  a  pairing  operation  is  typically  more  expensive  than  exponen¬ 
tiation  (and  far  more  expensive  than  multiplication)  in  known  bilinear  groups,  we  are  particularly 
interested  in  reducing  the  number  of  pairings  at  time  of  decryption.  Notice  that  we  can  precom¬ 
pute  all  pairings  e(c0,  k iDd,o)  and  pairings  e(cVdti,  kIDdii)  for  1  <  i  <  4,  and  store  the  results  in  a 
look-up  table.  Therefore,  the  decryption  algorithm  requires  0(D  log  T)  pairings  in  total. 


3.3.4  Consistency,  Security 


The  following  two  theorems  state  the  consistency  and  security  of  our  MRQED  construction. 


Theorem  3.3.2  (Internal  consistency)  The  above  defined  MRQED  construction  satisfies  the  con¬ 
sistency  requirement  posed  by  Equation  o. 

Theorem  3.3.3  (Selective  security)  The  above  defined  MRQED  construction  is  selectively  secure 
against  polynomial-time  adversaries. 


Below  we  give  an  overview  of  the  techniques  used  in  the  security  proof.  The  detailed  proofs 
of  Theorem  13.3.21  and  Theorem  13.3.31  are  provided  in  Section  13.71  To  prove  the  selective  security 
of  our  MRQED1'  construction,  we  decompose  the  selective  MRQED  game  into  two  games:  a 
selective  confidentiality  game  and  a  selective  anonymity  game.  By  the  hybrid  argument,  if  no 
polynomial-time  adversary  has  more  than  negligible  advantage  in  either  the  confidentiality  game 
or  the  anonymity  game,  then  no  polynomial-time  adversary  has  more  than  negligible  advantage  in 
the  combined  selective  MRQED  game. 

In  the  proof,  we  build  a  simulator  that  leverages  an  MRQED  adversary  to  solve  the  D-BDH 
problem  or  the  D-Linear  problem.  The  simulator  inherits  parameters  specified  by  the  D-BDH/D- 
Linear  instance,  hence,  it  has  incomplete  information  about  the  master  key.  Therefore,  the  crux  of 
the  proof  is  how  to  simulate  the  key  derivation  algorithm  without  knowing  the  complete  master  key. 
In  comparison,  the  anonymity  proof  is  more  complicated  than  the  confidentiality  proof,  because 
it  involves  a  hybrid  argument  containing  2  DL  steps.  In  step  {d\.  l\.;  n  1 )  of  the  hybrid  argument, 
yvim  and  y'pi  nt  (<fii  =  {d\ .  l\))  in  the  master  key  contain  unknown  parameters  inherited  from  the 
D-Linear  instance.  Therefore,  we  need  to  condition  on  the  relative  position  between  X*  and  the 
(d\,  l\ )  in  question.  Our  proof  techniques  are  similar  to  that  presented  in  the  AHIBE  paper  [  13]. 
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3.3.5  Practical  Performance 


In  this  section,  we  give  a  detailed  analysis  of  the  performance  of  the  MRQED°  scheme  given  in 
Sectionl3.3.3lin  practical  scenarios.  We  use  the  conditional  release  of  encrypted  network  audit  logs 
as  our  motivating  application. 

Assumptions.  To  evaluate  the  scheme  of  Section  13.3.31  in  this  application,  we  detail  a  set  of 
scenarios  regarding  the  searchable  fields  present  in  the  logs.  We  assume  log  entries  contain  the 
fields  listed  in  Table  l3~2l  The  17-bit  time  field  is  sufficient  to  distinguish  times  over  a  period  of 
about  15  years  with  a  one  hour  resolution,  or  about  three  months  at  a  one  minute  resolution.  More 
precise  times  may  be  stored  in  the  non-searchable  portion  of  the  message  if  desired.  The  protocol 


Field 

Abbr. 

Range 

Distinct  Values 

Source  IP 

sip 

[0, 

Tsip 

-i] 

Tsip 

=  232 

Dest.  IP 

dip 

[0, 

2d  ip 

-i] 

2~diP 

=  232 

Port 

port 

[0, 

T 

port 

-i] 

T 

-1-  port 

=  216 

Time 

time 

[0, 

T  ■ 

time 

-i] 

T  ■ 

time 

=  217 

Protocol 

prot 

[0, 

T 

- L  prot 

-i] 

T 

prot 

=  28 

Table  3.2:  Fields  appearing  in  a  network  audit  log  and  their  possible  values. 

field  corresponds  to  the  actual  bits  of  the  corresponding  field  in  an  IP  header  (where,  for  example, 
6  denotes  TCP  and  133  denotes  Fibre  Channel).  Various  subsets  of  these  fields  may  be  included 
as  searchable  attributes  in  MRQEDU  Other  fields  and  any  additional  associated  data  such  as  a 
payload  may  be  included  as  the  encrypted  message.  Regardless  of  message  length,  we  need  only 
use  the  MRQED°  scheme  to  encrypt  a  single  group  element,  which  may  be  a  randomly  generated 
symmetric  key  (e.g.,  for  AES)  used  to  encrypt  the  message. 

Benchmarks  for  the  selected  pairing  were  run  on  a  modern  workstation.  We  ran  the  benchmarks 
twice:  1)  Back  in  winter  2006,  we  used  a  64-bit,  3.2  Ghz  Pentium  4  processor.  2)  We  ran  the 
benchmark  test  then  again  in  summer  2008,  on  a  Intel  2.4GHz  Core  2  processor1.  We  used  the 
Pairing-Based  Cryptography  (PBC)  library  0,  which  is  in  turn  based  on  the  GNU  Multiple 
Precision  Arithmetic  Library  (GMP).  Note  that  the  benchmarking  program  uses  a  single  thread. 
Therefore,  for  the  dual-core  processor,  only  one  core  was  used  in  the  measurement.  The  relevant 
results  are  given  in  Table  13 .31  It  is  interesting,  but  not  surprising,  to  observe  that  the  benchmarks 
improved  by  a  factor  of  approximately  2  from  2006  to  2008  (for  most  of  the  major  operations). 

Using  these  benchmark  numbers,  we  now  estimate  the  performance  of  our  encryption  scheme 
under  several  scenarios  for  the  network  audit  log  application. 

Public  parameters  and  master  key.  The  space  required  to  store  the  public  parameters  and  mas¬ 
ter  key  is  logarithmic  with  respect  to  the  number  of  possible  attribute  values.  Specifically,  denote 
the  set  of  attributes  as  A  =  (sip,  dip,  port,  time,  prot}.  Then  for  each  attribute  a  £  A,  define  the 

'Although  the  new  processor  has  lower  clock  cycle  than  the  old  one,  it  is  more  powerful  due  to  improved  pipeline 
structure. 


28 


(a)  Year  2006:  64bit  3.2GHz  Pentium  4 


Operation 

Time 

pairing  (no  preprocessing) 

5.5  ms 

pairing  (after  preprocessing) 

2.6  ms 

preprocess  pairing 

5.9  ms 

exponentiation  in  G,  G 

6.4  ms 

exponentiation  in  G' 

0.6  ms 

multiplication  in  G' 

5.1  fj,  s 

(b)  Year  2008:  2.40GHz  Intel  Core(TM)2 


Operation 

Time 

pairing  (no  preprocessing) 

2.6  ms 

pairing  (after  preprocessing) 

1.1  ms 

preprocess  pairing 

4.7  ms 

exponentiation  in  G,  G 

5.3  ms 

exponentiation  in  G' 

0.3  ms 

multiplication  in  G' 

2.4  /rs 

Table  3.3:  Group  arithmetic  and  pairing  performance  benchmarks  on  a  modern  workstation.  The  table  on 
the  left  reflects  benchmarks  in  2006.  The  table  on  the  right  reflects  updated  benchmark  numbers  in  2008. 


height  of  the  tree  La  =  log2  Ta  +  1.  For  example,  Lsip  =  33  and  Lprot  =  9.  Then  the  public  pa¬ 
rameters  PK  require  a  total  of  8  J2aeA  La  =  880  elements  of  G  and  one  element  of  G'.  Assuming 
512-bit  representations2  of  elements  of  G  and  G',  the  total  size  of  PK  is  55KB.  The  master  key 
SK  contains  the  same  number  of  elements,  again  requiring  55KB  of  storage.  More  space  efficient 
pairings  than  the  one  used  in  this  estimate  are  available,  but  this  one  was  selected  for  speed  of 
evaluation. 

Computation  time  for  Setup  is  reasonable,  given  that  it  is  only  run  once.  Computing  the  public 
and  private  parameters  in  Setup  requires  roughly  16  exponentiations  and  one  pairing. 

This  means  roughly  1 1 .3s  running  time  on  the  old  processor  in  2006,  and  9.3s  on  the  new  processor 
in  2008.  Time  spent  on  multiplication  in  this  case  is  negligible. 


Encryption.  Saving  the  group  elements  of  a  ciphertext  requires  4  La  +  2  group  elements, 
or  28KB.  Note  that  we  normally  just  encrypt  a  session  key,  so  this  is  a  constant  overhead  beyond 
the  actual  length  of  the  message.  Running  Encrypt  requires  about  two  exponentiations  for  each 
group  element,  resulting  in  a  time  of  about  5.6s  in  2006,  and  4.7s  in  2008.  While  significant,  this 
overhead  should  be  acceptable  in  most  cases  in  the  network  audit  log  example.  If  audit  logs  are  high 
volume,  the  best  strategy  may  be  to  produce  periodic  summaries  rather  than  separately  encrypting 
each  packet.  The  searchable  attributes  of  such  summaries  would  reflect  the  collection  of  entries 
they  represent,  and  the  full  contents  of  the  entries  could  be  included  as  the  encrypted  message 
without  incurring  additional  overhead.  In  systems  containing  a  cryptographic  accelerator  chip 
supporting  ECC  (such  as  some  routers),  much  higher  performance  is  possible.  For  example,  the 
Elliptic  Semiconductor  CLP-17  could  reduce  the  time  of  exponentiation  from  6.4ms  to  30/is  [17], 
resulting  in  a  total  encryption  time  as  low  as  27ms. 


Key  derivation  and  decryption.  We  now  consider  decryption  keys  and  the  running  time  of 
the  decryption  algorithm,  the  more  interesting  aspects  of  the  scheme’s  computational  and  storage 
requirements.  The  space  required  to  store  a  decryption  key,  the  time  to  derive  it,  and  the  time  to 

2We  consider  a  type  A  pairing  using  the  singular  curve  y2  =  x3  +  x  for  the  groups  G  and  G  with  a  base  field  size 
of  512-bits.  Note  that  all  groups  involved  have  160-bit  group  order;  the  storage  requirements  arise  from  the  specific 
representation  of  elements  in  the  elliptic  curves. 
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(a)  Performance  in  2006. 


Example  Query 

2Vsip,  IVdip,  Nport,  iVtime,  Npmt 

Pairing 

Time 

Worst-case 
Mult.  Time 

Worst-case 

Dec.  Time 

sip  =  207.44.178.*, 
dip  =  216. 187.103. 169,  port  =  22, 
time  =  *,  prof  =  TCP 

(1,1,1,  1,1) 

65ms 

<  0.1ms 

65ms 

sip  G  [207.44.178.123,  207.44.182.247], 
dip  =  *,  port  =  22, 
timeG[5pm  10/31,  9am  11/5], 
prof  G  (TCP,  UDP,  ICMP} 

(10,  1,  1,7,  3) 

286ms 

1.2ms 

287ms 

sip  G  [207.44.178.123, 207.60.177.15], 
dip  G  [207.44.178.123, 207.60.177.15], 
port  G  [3024, 35792], 
timeG  [10/31/2006, 10/31/2020], 
protGjTCP,  UDP,  ICMP} 

(20,  20,  15,  17,  3) 

0.98s 

1.64s 

2.62s 

(b)  Performance  in  2008. 


Example  Query 

iVsip,  IVdip,  Wport,  IVtime,  Nprot 

Pairing 

Time 

Worst-case 

Mult.  Time 

Worst-case 

Dec.  Time 

sip  =  207.44.178.*, 
dip  =  216. 187.103. 169,  port  =  22, 
time  =  *,  prot  =  TCP 

(1,1,1,  1,1) 

28ms 

<  0.1ms 

28ms 

sip  G  [207.44.178.123,  207.44.182.247], 
dip  =  *,  port  =  22, 
time  G  [5pm  10/31,  9am  1 1/5], 
protGjTCP,  UDP,  ICMP} 

(10,  1,  1,7,  3) 

121ms 

0.6ms 

122ms 

sip  G  [207.44.178.123, 207.60.177.15], 
dip  G  [207.44.178.123, 207.60.177.15], 
port  G  [3024, 35792], 
timeG  [10/31/2006, 10/31/2020], 
protGjTCP,  UDP,  ICMP} 

(20,  20,  15,  17,  3) 

0.41s 

0.77s 

1.18s 

Table  3.4:  Decryption  times  (in  2006  and  2008)  resulting  from  decryption  keys  of  various  sizes. 


decrypt  using  it  depend  only  on  the  ranges  of  attributes  for  which  it  permits  decryption.  Unlike  the 
computational  and  storage  requirements  discussed  thus  far,  these  costs  do  not  depend  on  the  full 
range  of  possible  values,  only  those  associated  with  the  key.  These  costs  depend  on  the  number  of 
key  components  necessary  to  represent  the  permissible  range  along  each  dimension.  For  example, 
suppose  a  particular  decryption  key  DK  only  allows  decryption  of  entries  with  a  destination  port 
in  the  range  [3,  7]  (perhaps  placing  other  requirements  on  the  other  attributes).  Referring  back  to 
Figure  EU  we  see  that  three  tree  nodes  are  necessary  to  cover  this  range,  so  DeriveKey  would 
include  these  three  for  the  destination  port  dimension  in  DK.  Similarly,  given  some  decryption  key 
DK,  we  denote  the  number  of  tree  nodes  necessary  to  cover  the  decryption  range  in  each  of  the 
dimensions  a  G  A  by  Na  =  |Aa(B)|  (using  the  notation  of  Section  13.3.31).  So  in  this  example, 
iVport  =  3.  Note  that  for  any  a  G  A,  in  the  worst  case,  Na  =  2 La  —  2. 
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Now  given  Na  for  each  a  e  A,  we  may  compute  the  decryption  costs.  A  decryption  key 
consists  of  5  Na  group  elements  and  DeriveKey  performs  8  J2aeA  Na  exponentiations. 
The  number  of  operations  necessary  to  decrypt  using  a  key  DK  is  slightly  more  subtle.  While 
QueryDecrypt  is  ©(ELga-^)  (i-e.,  ©((logT)^))  overall,  only  0(J2aeA  L°)  0(DlogT)) 
pairings  are  required,  as  mentioned  in  Section  13.3.31  Specifically,  we  only  need  to  compute 
Na  pairings  to  populate  a  lookup  table  containing  values  of  e(c0,  kIDfi),  e (cVjl,  kIDA), 
e(cVt 2,  kiD, 2),  e(c<p,3,  k/D,3),  e(c<p, 4,  k/Dj4),  and  e(c^5,  kID>5).  These  values  are  sufficient  to  com¬ 
pute  the  QueryDecrypt  algorithm.  Assuming  a  key  will  normally  be  used  to  decrypt  a  batch 
of  ciphertexts  one  after  another,  we  may  further  reduce  the  cost  of  pairings  by  preprocessing 
with  the  key.  As  shown  in  Table  13.31  preprocessing  reduces  the  pairing  time  by  about  half,  at 
a  one  time  cost  (per  decryption  key  DK)  equivalent  to  one  or  two  decryptions.  Computed  naively, 
the  sequence  of  trials  in  step  one  of  QueryDecrypt  end  up  requiring  a  total  of  \A\  ELga-^ 
multiplications  in  G'.  This  can  be  somewhat  reduced.  Let  S±, . . .  Sj^i  be  {  Na  |  a  6  A  }  sorted 
in  ascending  order:  Si  <  S2  <  . . .  *S'|J4|-  Then  by  saving  intermediate  results  between  trials 
and  ordering  the  dimensions  appropriately,  it  is  possible  to  complete  step  one  with  a  total  of 
Si  +  SiS2  +  SiS2S3  +  . . .  SiS2  ■  ■  ■  S'|J4|  multiplications. 


Specific  scenarios.  We  have  now  computed  the  costs  associated  with  the  storage  and  usage  of  a 
decryption  key  in  terms  of  Na  for  a  e  A,  but  we  have  not  yet  specified  Na.  If  we  assume  the  range 
for  each  attribute  is  randomly  selected  (uniformly),  then  for  each  a  E  A,  the  expected  value  of  Na 
is  La  —  1.  This  results  in  a  decryption  key  size  of  33KB  and  a  running  time  for  DeriveKey  of 
5.4s  in  2006,  and  4.5s  in  2008.  The  corresponding  worst-case  decryption  time3  is  13.1s  in  2006, 
and  6.1s  in  2008.  Note  that  this  has  improved  by  a  factor  of  2  over  a  period  of  1.5  years.  This  still 
may  be  a  major  cost,  and  likely  to  be  inconvenient  if  significant  quantities  of  log  entries  must  be 
decrypted.  Fortunately,  queries  eliciting  such  long  decryption  times  are  not  likely  to  be  necessary 
in  practice.  In  fact,  fairly  elaborate  queries  are  possible  while  keeping  decryption  costs  low. 

In  Table  13 .41  we  provide  several  examples  that  help  demonstrate  this.  The  first  entry  illustrates 
the  fact  that  specifying  a  single  value,  all  values,  or  a  range  of  values  falling  on  power-of-two 
boundaries  (as  in  the  case  of  an  IP  subnet)  for  some  attribute  a  results  in  Na  =  1,  reducing  decryp¬ 
tion  time  dramatically.  In  the  next  example,  several  attributes  are  required  to  be  in  general  ranges, 
or,  in  the  case  of  prot,  selected  from  a  small  set.  This  results  in  larger  numbers  of  key  components 
and  slightly  longer  decryption  times.  Still,  the  decryption  time  in  this  case  is  far  below  the  time 
with  each  range  randomly  selected.  As  shown  by  the  third  example,  larger  ranges  result  in  larger 
values  of  Na  and,  again,  somewhat  larger,  but  still  relatively  low,  decryption  times.  It  is  interesting 
to  note  that  the  decryption  time  has  improved  by  a  rough  factor  of  2  over  a  period  of  1.5  years. 

Exploiting  parallelism  to  speed  up  the  computation.  The  performance  numbers  in  Table  13.41 
does  not  exploit  any  parallelism.  In  particular,  even  for  the  new  dual-core  CPU,  we  did  not  leverage 
the  dual-core  feature,  because  our  benchmarking  program  used  a  single  thread. 

3In  reality,  the  average  decryption  time  is  smaller  than  this  number,  since  upon  a  successful  decryption,  the 
QueryDecrypt  algorithm  exits  after  trying  half  of  the  combinations  in  expectation  and  thus  performing  half  the 
worst-case  multiplications. 
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We  would  like  to  note  that  most  of  the  above  computations  are  easily  parallelizable.  For  exam¬ 
ple,  if  one  has  multiple  entries  to  decrypt,  one  can  easily  distribute  them  across  multiple  processors. 
Even  when  we  are  decrypting  a  single  entry,  we  can  parallelize  the  QueryDecrypt  algorithm  in¬ 
ternally.  For  example,  the  5  Na  pairing  operations  do  not  have  any  dependencies,  and  we 
can  assign  them  to  different  processors  easily.  We  can  also  distribute  the  simple  hyper-rectangles 
to  the  multiple  processor:  each  processor  will  try  to  decrypt  at  k  of  the  (log  T)n  hyper-rectangles. 

In  fact,  if  we  have  plenty  of  processors,  we  can  distribute  the  computation  such  that  each  pro¬ 
cessor  only  has  to  perform  one  pairing.  After  all  the  pairing  results  are  computed,  each  processor 
tries  to  decrypt  at  one  simple  rectangle.  In  this  case,  the  multiplication  time  becomes  negligible 
compared  to  the  pairing  time.  Therefore,  ignoring  possible  overheads  of  parallelism,  the  theoretic 
decryption  time  can  be  improved  to  roughly  the  time  of  a  single  pairing  operation  (1.1ms  as  of 
2008),  even  in  the  worst-case  scenario. 

This  is  very  encouraging,  especially  as  parallel  computation  is  starting  to  be  widely  accepted 
in  practice.  The  latest  consumer  PCs  have  multiple  processors,  and  IT  companies  are  using  large 
clusters  to  run  their  computations.  For  example,  Google’s  cluster  has  an  estimate  of  100K  nodes, 
and  this  may  well  be  a  conservative  estimate  [38]. 

3.4  The  Dual  Problem  and  Stock  Trading  through  a  Broker 

In  the  MRQED  problem,  one  encrypts  a  message  Msg  under  a  point  X  in  multi-dimensional 
space,  and  given  a  hyper-rectangle  B,  the  master  key  owner  can  construct  a  capability,  allowing 
an  auditor  to  decrypt  all  entries  satisfying  X  E  B.  On  the  other  hand,  the  privacy  of  the  irrelevant 
entries  are  still  preserved. 

Informally,  the  natural  dual  problem  to  MRQED  is  where  one  encrypts  under  a  hyper-rectangle 
B,  and  given  a  point  X,  the  master  key  owner  can  construct  a  capability  allowing  an  auditor  to 
decrypt  all  entries  satisfying  B  3  X.  Like  in  MRQED,  we  require  that  the  privacy  of  all  irrelevant 
entries  be  preserved.  We  now  show  an  interesting  application  of  the  dual  problem,  and  then  show 
that  MRQED  implies  a  solution  for  the  dual  problem. 

An  interesting  application  of  the  dual  problem  is  for  trading  stocks  and  other  securities.  Sup¬ 
pose  an  investor  trades  stocks  through  a  broker.  The  investor  specifies  a  price  range  and  a  time 
range,  such  that  if  the  stock  price  falls  within  that  range  during  a  specific  period  of  time,  the  broker 
can  buy  or  sell  the  stock  on  behalf  of  the  investor.  This  is  usually  referred  to  as  a  stop  order ,  limit 
order ,  or  stop-limit  order.  Sometimes,  the  investor  may  not  fully  trust  the  broker,  and  may  wish  to 
conceal  the  price  and  time  ranges  from  the  broker  before  an  order  is  executed. 

The  dual  problem  can  be  applied  in  such  scenarios  to  address  the  privacy  concerns  of  investors. 
In  particular,  the  stock  exchange,  or  any  third-party  with  knowledge  of  the  real-time  stock  price  can 
act  as  the  trusted  authority  who  owns  the  master  key.  For  convenience,  in  the  following  description, 
we  assume  that  the  stock  exchange  is  the  trusted  authority.  The  investor  first  encrypts  the  order 
along  with  the  desired  price  and  time  ranges,  and  sends  the  encrypted  order  to  the  broker.  Suppose 
that  at  a  certain  point  of  time  t,  the  stock  price  is  p.  The  stock  exchange  constructs  a  decryption 
key  for  the  pair  (t,  p) ,  and  hands  it  to  the  broker.  With  this  decryption  key,  the  broker  can  decrypt 
all  orders  whose  price  and  time  ranges  match  the  current  price  p  and  the  current  time  t,  and  execute 
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these  orders.  For  orders  whose  price  and  time  ranges  do  not  match  the  current  price  and  time,  the 
broker  cannot  learn  any  additional  information  about  these  orders. 

MRQED  implies  the  dual  problem.  We  use  a  2-dimensional  example  to  illustrate  how  MRQED 
implies  a  solution  for  the  dual  problem. 

•  Dual. Setup  (£,  [ T ]2):  Call  MRQED. Setup  (£,  [T]4),  and  output  the  public  key  PK,  and 
master  key  SK. 

•  Dual. Encrypt  (PK,  [xi,  x2]  x  [2/1 , 2/2] ,  Msg):  To  encrypt  a  message  Msg  under  the  range 
[x1,x2]  x  [yi,  y2]  in  2  dimensions,  call  MRQED. Encrypt  (PK,  (xi,  x2,  2/1,  y2),  Msg).  Ob¬ 
serve  that  here  a  range  [xi,  x2]  x  [yu  y2 ]  in  [T]2  is  mapped  to  a  point  (xi,  x2, 2/1, 2/2)  in  [T]4. 

•  Dual. DeriveKey  (PK,  SK,  (x,  y)):  To  generate  a  decryption  key  for  the  point  (x,  y)  G  [T]2, 
call  MRQED. DeriveKey  (PK,  SK,  [l,x]  x  [x,T\  x  [1  ,y]  x  [y,T]). 

•  Dual.QueryDecrypt  (PK,  DK,  C):  To  try  to  decrypt  a  ciphertext  C  using  the  decryption 
key  DK,  call  MRQED. QueryDecrypt  (PK,  DK,  C). 

In  essence,  the  above  scheme  maps  a  range  [xi,  x2]  x  [2/1,  y2]  C  [T]2  to  a  point  (xi,  x2, 2/1, 2/2)  G 
[T]4,  and  testing  if  a  point  (x,  y)  is  within  the  range  [x\ ,  x2]  x  [2/1 , 2/2]  is  equivalent  to  testing  whether 
(xi,  x2, 2/1, 2/2)  G  [1,  x }  x  [x,  T]  x  [1, 2/]  x  [2/,  T].  It  is  easy  to  verify  that  the  security  of  the  MRQED 
scheme  guarantees  a  similar  notion  of  security  for  the  dual  construction,  i.e.,  if  a  decryption  key 
fails  to  decrypt  a  certain  ciphertext  entry,  then  a  probabilistic  polynomial  adversary  cannot  learn 
any  additional  information  about  that  entry. 


3.5  Notation 

We  summarize  the  notations  used  throughout  this  chapter  in  Table  13 .51 
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Notation 

Explanation 

First  Defined 

[«.*] 

integers  s  through  Z 

Sec. 

m~2i 

[a] 

integers  1  through  a 

Sec. 

13.1.21 

D 

number  of  dimensions 

Sec. 

era 

T 

number  of  discrete  values  in  each  dimension 

Sec. 

l3~L2l 

La 

multi-dimensional  lattice 

Sec. 

m~2i 

X 

a  point  in  the  lattice 

Sec. 

iTmi 

B 

a  hyper-rectangle 

Sec. 

13.1.21 

S 

security  parameter 

Sec. 

13.1.21 

PK 

public  key 

Sec. 

13.1.21 

SK 

master  key 

Sec. 

13.1.21 

DK 

decryption  key 

Sec. 

13.1.21 

Msg 

message  to  encrypt 

Sec. 

13.1.21 

M 

message  space 

Sec. 

13.1.21 

G 

a  bilinear  instance 

Sec. 

rnn 

G 

bilinear  group 

Sec. 

Em 

G7 

target  group 

Sec. 

im 

e 

bilinear  pairing  function 

Sec. 

13.3.11 

9 

generator  of  G 

Sec. 

13.3.11 

Zp 

additive  group  of  integers  modular  a  prime  p 

Sec. 

13.3.1 

K 

multiplicative  group  of  integers  modular  a  prime  p 

Sec. 

13.3.31 

tr(T) 

binary  interval  tree  over  integers  1  through  T 

Sec. 

ITT21 

ID 

identity  of  a  tree  node 

Sec. 

ITT21 

cv(ID) 

range  represented  by  a  tree  node  I D 

Sec. 

ITT21 

P(x) 

path  from  the  root  to  the  leaf  node  representing  x 

Sec. 

13.2.21 

A(s,  t) 

set  of  nodes  representing  the  range  [s,  t] 

Sec. 

13.2.21 

Ad(B) 

set  of  nodes  representing  the  range  specified  by  B  in  the  dtn  dimension 

Sec. 

13.2.31 

B0 

simple  hyper-rectangle 

Sec. 

ITTl 

idBn 

identity  vector  of  the  simple  hyper-rectangle  Bo 

Sec. 

IT2H 

AX(B) 

hyper-rectangle  B  as  a  collection  of  simple  hyper-rectangles 

Sec. 

ITT31 

F  d(X) 

path  to  root  in  the  dimension  for  the  point  X 

Sec. 

13.2.31 

PX(X) 

cross-product  of  all  D  paths  to  root  for  the  point  X 

Sec. 

13.2.31 

PU(X) 

union  of  all  D  paths  to  root  for  the  point  X 

Sec. 

ITT21 

AU(B) 

hyper-rectangle  B  as  a  set  of  tree  nodes 

Sec. 

ITT21 

L 

height  of  interval  tree 

Sec. 

liTil 

a  function  that  outputs  the  dimension  and  depth  of  some  node  ID 

Sec. 

liil 

yj  =  (d,  Z) 

usually  used  in  subscripts  to  indicate  the  dimension  and  depth  respectively 

Sec. 

13.3.31 

2^(X)  where  ip  =  (d,  Z) 

the  node  at  depth  l  in  the  path  P^(X)  of  the  dth  dimension 

Sec. 

13331 

Table  3.5:  Notations. 


3.6  Proof  of  Consistency 


Proof  of  Theorem  13.3.21 

Let  C  =  (c,  c0,  [c^, i,  2,  ^,3,  cvM]^=(d,0e[D]x[L])  be  the  encryption  of  Msg  on  point  X.  Let 
AX(B0)  =  /L>2)  ■  •  •  ,IDd)}  Q  Ax(B)  be  the  current  simple  hyper-rectangle  under  de¬ 

cryption.  Let  ipd  =  $(IDd)  (d  G  [£>]). 

IfX  G  B0,  then  for  all  d  G  [D\,  l(pd(X)  =  IDd.  For  simplicity,  let  £(x)  =  e(g,  g)x,  and  denote 
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TPd  =  Jv,d(X).  Now  decryption  for  B0  proceeds  as  follows: 


1/  =(Msg||0"*')  ■  ■  n  e 


d€[D] 


■  n  e(av<Jin-A^.»,(6v<J)n^6;<J)n)r^’n)  •  J]  e  (W^, 

de[D],ne[  2]  dG[D],nG[2] 


/ 


\ 


■£ 


r  ‘  a,Pd,n^ifd,n^IDd,n  {9(pd,nIDd  +  ^djn) 

\ 


de[D], 

\  ne[2] 


aifd,n(  ^IDd,n)rtpd,nPtpd,n  {Ptpd,n^ipd  +  @ipd,n) 


d£[D], 

nG[2] 


/ 


=(Msg||0TO  )  ■  f2-r  ■  e  (gr  ,u>)  ■  £ 

( 

V 

^  ]  P<pd,n(~^IDd,n)  ( r  —  r‘pd,n)  aipd,n  (&i pd,n^ifd  +  Q(pd,n) 

( 

V 

£  r‘  a<Pd,n[3(pd,n{~ ^IDd,n)  (9ipd,nlipd  +  ®tpd,n) 

=Msg||0 


/ 


dG[D], 

\  ng[2] 


=(Msg|  |0m  )  ■  Cl~r  ■  e(gr ,u>)  ■  £ 

( 


d£[D], 
\  nG[2] 


\ 


\ 


d€[D], 
Tie  [2] 


r  ‘  a(pd,nf3ifd,n^I Dd,n  (9ipd,nIDd  +  O^^n) 

\ 


Else  if  X  ^  B0,  Xv,d(X)  ^  IDd,  d  E  [D],  Hence  decryption  yields 


V  =  (Msg|  |0r 


/  \ 

r  ‘  S  0i<pd,nf^ipd,n^IDd,n  {@tpd,nl Dd  +  9ipd^ 
de[D], 

V  "£[2]  / 

\ 

£  r  '  (X<pd,n(3ipd,n^IDd,n  ( 9tpd,nl<pd  +  ^d,n) 

de[D], 

nG[2]  / 


=  (Msg||Om')-Qr 


-r‘Pd,n 
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where 


/ 


\ 


With  probability  1  —  1/p,  Q  fi  1,  and  the  ciphertext  is  distributed  uniformly  at  random  in  G'. 
Hence  the  probability  that  V  is  of  the  form  Msg|  |0m/  is  less  than  -  +  A?-. 

P  ^ 


3.7  Proof  of  Security 


To  prove  the  selective  security  of  our  MRQEDd  construction,  we  decompose  the  selective  MRQED 
game  into  two  games:  a  selective  confidentiality  game  and  a  selective  anonymity  game.  By  the 
hybrid  argument,  if  no  polynomial-time  adversary  has  more  than  negligible  advantage  in  either  the 
confidentiality  game  or  the  anonymity  game,  then  no  polynomial-time  adversary  has  more  than 
negligible  advantage  in  the  combined  selective  MRQED  game.  The  terminology  confidentiality 
and  anonymity  that  we  use  here  is  adopted  from  AIBE  schemes. 

Definition  3.7.1  (MRQED  selective  confidentiality  game)  The  MRQED  selective  confidentiality 
game  is  defined  as  below. 

•  Init:  The  adversary  A  outputs  a  point  X*  where  it  wishes  to  be  challenged. 

•  Setup:  The  challenger  runs  the  Setup  (E,  La)  algorithm  to  generate  PK,  SK.  It  gives  PK 
to  the  adversary,  but  does  not  divulge  SK. 

•  Phase  1:  The  adversary  is  allowed  to  issue  decryption  key  queries  for  hyper-rectangles  that 
do  not  contain  X*. 

•  Challenge:  The  adversary  submits  two  equal  length  messages  Msg0  and  Msg^  The  chal¬ 
lenger  flips  a  random  coin,  b,  and  encrypts  Msg6  under  X*.  The  ciphertext  is  passed  to  the 
adversary. 

•  Phase  2:  Phase  1  is  repeated. 

•  Guess:  The  adversary  outputs  a  guess  b'  of  b. 

Definition  3.7.2  (MRQED  selective  anonymity  game)  The  MRQED  selective  anonymity  game 
is  defined  as  below. 

•  Init:  The  adversary  A  outputs  two  points  X0  and  Xi,  where  it  wishes  to  be  challenged. 

•  Setup:  The  challenger  runs  the  SetupfE.  La)  algorithm  to  generate  PK,  SK.  It  gives  PK 
to  the  adversary,  but  does  not  divulge  SK. 

•  Phase  1:  The  adversary  is  allowed  to  issue  decryption  key  queries  for  hyper-rectangles  that 
do  not  contain  X0  and  Xi. 

•  Challenge:  The  adversary  submits  a  message  Msg.  The  challenger  first  flips  a  random  coin 
b,  and  then  encrypts  Msg  under  X&.  The  ciphertext  is  passed  to  the  adversary. 
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•  Phase  2:  Phase  1  is  repeated. 

•  Guess:  The  adversary  outputs  a  guess  b'  of  b. 

In  either  game,  we  define  the  adversary  A’s  advantage  as 


Adv^(S) 


Pr[6  =  b']~  i 


Definition  3.7.3  (IND-sID-CPA)  An  MRQED  scheme  is  IND-sID-CPA  secure  if  all  polynomial- 
time  adversaries  have  at  most  a  negligible  advantage  in  the  confidentiality  game. 

Definition  3.7.4  (ANON-sID-CPA)  An  MRQED  scheme  is  ANON-sID-CPA  secure  if  all  polynomial- 
time  adversaries  have  at  most  a  negligible  advantage  in  the  anonymity  game. 

Lemma  3.7.5  If  an  MRQED  scheme  is  both  IND-sID-CPA  secure  and  ANON-sID-CPA  secure, 
then  the  MRQED  scheme  is  selectively  secure. 

Proof:  By  the  hybrid  argument.  ■ 


Hence,  it  suffices  to  prove  our  MRQED  construction  IND-sID-CPA  and  ANON-sID-CPA  se¬ 
cure.  We  say  that  an  MRQED  scheme  is  (r,  q,  e)  secure  if  any  adversary  making  q  range  queries 
for  decryption  keys,  cannot  have  more  than  e  advantage  within  time  r. 

Theorem  3.7.6  (Confidentiality)  Suppose  G  satisfies  the  (r,  e)  D-BDH  assumption,  then  the  above 
defined  MRQED  scheme  is  (r',  q,  e)  IND-sID-CPA  secure,  where  t'  <  t  —  (~)(qD  log  T ). 

Theorem  3.7.7  (Anonymity)  Suppose  G  satisfies  the  (r,  e)  D-Linear  assumption,  then  the  above 
defined  MRQED  scheme  is  (r',  q,  e')  ANON-sID-CPA  secure,  where  r'  <  r  —  Q(qD  logT),  and 
e'  =  (2 D  log  T  +  1)  (e  +  1/p). 

In  particular,  Q(qDlogT)  comes  from  the  fact  that  the  simulator  needs  O(DlogT)  time  to 
compute  the  decryption  key  for  each  hyper-rectangle  queried.  The  2D  log  T  +  1  loss  factor  in  e' 
comes  from  the  hybrid  argument  we  use  to  prove  anonymity,  and  additive  1/p  comes  from  the 
probability  that  bad  events  happen  in  the  simulation  so  that  the  simulator  has  to  abort. 


3.7.1  Proof:  Confidentiality 

Proof  of  Theorem  13.7.61 

We  reduce  the  semantic  security  of  MRQED  to  the  hardness  of  the  D-BDH  problem.  Let 
[g,  <71, 02, 93,  %]  denote  the  D-BDH  instance  supplied  to  the  simulator,  B,  where  g\  =  gZl,  g2  =  gz 2, 
03  =  gz 3,  the  simulator’s  task  is  to  decide  whether  or  not  Z  =  e(g,  g)zlZ2Z3.  And  to  do  this,  the 
simulator  leverages  an  MRQED  IND-sID-CPA  adversary,  A. 

We  describe  a  reduction  such  that  if  Z  —  e(g,  g)zlZ2Z3,  the  simulator  produces  a  valid  ciphertext; 
otherwise,  the  first  term  c  in  the  ciphertext  is  random.  Hence,  if  the  adversary  could  break  the 
confidentiality  of  the  scheme,  the  simulator  would  be  able  to  solve  the  D-BDH  problem. 

Init:  The  adversary  selects  a  point  X*  e  LA  that  it  wishes  to  attack.  For  tp  e  [D]  x  [L\,  define 

i;  =  i„(x*). 
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Setup:  To  create  public  and  private  parameters,  the  simulator  does  the  following: 


1 .  Pick  at  random  from  Z, 


12  DL. 


[av,n,  P<p,n,  9<p,n,  9>P,n,  ^,n]  v=(d,l)£[D]  x  [L],nG[2] 

subject  to  the  constraint  that 

\P<p,nZ<p  +  ^ip,n  —  0]v=(<i,qe[D]x[Z],nG[2] 

where  X*  =  X¥,(X*).  We  also  require  that  the  a’s,  /Xs,  0’s  and  X’s  are  forcibly  non-zero. 

2.  Release  the  following  public  parameters  to  the  adversary. 


/  0  n  \Ottpn  I  /O'  O' 

(g(,v’ngiv’n)  ,  o!vn  <-  , 

,/  /  fl'  fl'  A 

v  <“  (0  *’■"01  ”■") 


\  (3<p,n 


fi-e(ji,92),  /•"  .  „  ,  ,, 

^  ■  >.«■  »  -  «  -  /  -  ;»=(«[»„[«, 

Note  that  this  posits  that  to  =  z\z2,  in  addition,  both  uj  and  u  are  both  unknown  to  the 
simulator. 


3.  Compute  what  it  can  of  the  master  key. 


^  4 _  ri  ^^n 

y  5 

/  0  0  \°'ip,n(jip,n 

yv,n  <-  (g  v'ng A’”) 


b 

yv,n 


gdtfi,n 


ip  ,71 

/  /  ft'  ft'  \aip,nPip,n 

[g‘p’ngi‘p’n] 


<p=  ( d,l)£  [ D]  X  [L]  ,n£  [2] 


Portion  u  of  the  master  key  is  unknown  to  the  simulator. 


Phase  1:  Suppose  the  adversary  makes  a  decryption  key  query  for  the  hyper-rectangle 

,  6’ 2,  t2,  .  .  •  ,  Sd,  £d) 

Since  B  does  not  contain  X*,  there  exists  a  dimension  d0  E  [D]  such  that  x*do  ^  [sd0,  tdo],  where 
xdo  is  X*  projected  onto  the  dff  dimension.  Hence,  there  exists  a  dimension  d0  E  [D],  such  that 
for  all  ID  E  Ado(B),  ID  ^  X*,  where  p  =  (d0,  l )  =  $(ID).  We  say  that  X*  does  not  overlap 
with  B  in  dimension  d0.  The  simulator  now  does  the  following: 

1.  Pick  do  such  that  X*  does  not  overlap  with  B  in  dimension  d0.  Let  n0  =  1. 


2.  Pick  the  following  numbers  at  random  from  Zp+2^A  : 


i^d]dG\Dv  [WL 


y  [^ID,n] 


I  d€[D]’  L',J^’n0J/DeAd0(B)’  l''11J’nilDeAdo(B),n/=n0 

subject  to  the  constraint  that  J2de[D]  tl<1  =  0- 

3.  For  all  ID  E  AU(B)  —  Ado(B),  let  DK(/X>)  =  (k/D;0, 

sent  the  element  in  DK  for  ID,  let  p  =  (d,l)  =  &(ID 
DK (ID)  as  below: 

ID^.f  \^ID,n 


,  [A/D,n] 


7DGAu(B)-Ado(B),nG[2] 


k(a)  Cb) 


ID 


IDA 


k(a)  k(b)  ’ 

*ID, 2;  VD, 2 


repre- 

where  d  ^  d0,  compute  and  release 


n  {yv,nIDy,v,ny 


(a) 

Vo.ti 


nG[2] 
—  Xt 


->  *ID,n  L1' 

dV,n  )  *ID,n 


h  ~^ID,n 
up>,n 


-  nG[ 2] 
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4.  For  all  ID  e  Ado(B),  let  <p0  =  (d0,  l )  =  <1 '(ID),  compute  and  release  DK (ID)  as  below: 


k/D,o  <-  ^ffd°  •  n  {y<po,nIDy'vo,n) 

ne  [2] 


,  (a) 

K/Z),n  <  a<PO,n 


—A lD,n  |<(b) 

>  *ID,n 


A ID 


k  —A JB,„ 

U(/?0,TI 


-  rae  [2] 


where  _  __ 

A/D,n  o  A ID, no  "7  (3-2) 

°Vo  ,no H^P0,n0  ^y<po,no 

@i£0, n0  =  ^o,n0 ID  +  @ip0,n0  7^  0- 

This  ensures  that  A  /- D  no  is  distributed  uniformly  at  random  in  Zp.  Since  dvo^noT*o  +  0^  no  = 
0;  moreover,  the  simulator  has  picked  d0  such  that  ID  ^  J*Q,  we  then  have  0W, no  7^  0. 
Although  the  simulator  does  not  know  A id,u0  (since  it  does  not  know  z2),  it  can  compute 
^V0,n0~XlD,ri0  and  b(/,0)no_A/£’  rio  given  gz 2.  Since  the  simulator  does  not  know  u,  we  now 
explain  how  to  compute  k1D:0.  The  simulator  rewrites  the  equation  for  kIDfi  as 


kiD,o  — 


0  •  {yw,2IDy[ 


\  A ID, 2 
^0,2/ 


~  (  ID  I  \^ID,  1 

■  ^  ■  \y<p 0,1  y<p o,i J 


Let  T  =  g^do  ■  {yw,2IDy'^2)  A/D’2,  then  ^id, o  =  V-u-  {y^n0IDy'^noYID'n°  The  simulator 
can  compute  part  'F  because  it  possesses  all  necessary  parameters  required  to  compute  it. 

Although  the  simulator  cannot  directly  compute  the  value  of  A  id, no  (since  it  does  not  know 
z2),  it  is  capable  of  computing  kIDfi  given  gzi  and  gZ2\  since  if  we  rewrite  kIDfi  as  below, 
we  can  see  that  the  exponent  only  contains  Z\  and  z2  to  the  first  degree.  For  convenience, 
we  omit  the  subscripts  <p0,  n0  and  ID  below  by  letting  a  =  a ^0,no,  (3  =  (3<p0,n 0,  6  =  0¥>o,no, 


O'  =  OL.nn’  0  =  6Wt10>  O'  =  O'u 


A  =  A 


Po,n0 
ID, uq  • 


¥0,n0 


,  y  =  yvo,n 0,  y'  =  y[ 


<P0,n0 


5  ©  ©</?0?^0’  ^  ^ 


'/D,no’ 


,x\  A -z2/(a(3Q) 


kID,0  =T  •  gZlZ2  ■  (yIDy)  =  T  ■  gz ^  ■  {^{o+z^id 

_  vp  .  gziz2  .  g-ziZ2(e-ID+e')/e  .  Hzuzz&fififi'  ,9,0'  ^K&ID)  _  ^  .  f(z1,Z2,a,P,e,0',e,e',>i,'B,ID) 


where  f(z\,z2,a,l3,6,6' ,6,6' ,\,Q,ID)  is  a  polynomial  where  variables  z±  and  z2  have 
maximum  degree  1. 


Challenge:  The  adversary  gives  the  simulator  two  messages  Msg0  and  Msg, .  The  simulator 
picks  a  random  bit  b,  and  encrypts  Msg6  under  point  X*  as  below: 

1.  Pick  random  integers  K,n\HdmD]x[Llnm  e  %2pDL- 

2.  Compute  and  release  the  following  as  the  ciphertext. 


(Msg6||0 m')-Z  \g3, 


\Q<p,nDp+6'Vtn 


(0: 


3  ■  9 


®v,nI?o+9L. 


x^p,n  yu<p1n-xLp 


-  <p=(d,l)£[D\x[L],n£[2\ 
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Note  that  this  implies  that  r  =  z3;  and  if  Z  —  e(g,  g)ZlZ2Z3,  it  is  easy  to  verify  that  the  ciphertext 
is  well-formed,  due  to  the  fact  that  +  0^n  =  0] ¥,=(-rf z)e[z?] x [z,]  n&gy  other  hand,  if 

Z  is  a  random  number,  then  the  first  term  c  in  the  ciphertext  is  random  and  independent  of  the 
remaining  terms. 

Phase  2:  Phase  1  is  repeated. 

Guess:  When  the  adversary  outputs  a  guess  b'  of  b,  the  simulator  outputs  1  if  b'  =  b  and  0 
otherwise,  in  answer  to  the  D-BDH  instance.  ■ 

3.7.2  Proof:  Anonymity 

In  Definition  13 .7 .21  of  the  selective-ID  anonymity  game,  the  challenger  flips  a  random  coin  b  in  the 
Challenge  phase.  An  equivalent  definition  is  where  the  challenger  flips  the  coin  b  in  the  Setup 
phase  before  running  the  Set  up  (X,  La)  algorithm.  This  new  definition  can  be  further  translated 
into  a  real-or-random  version  which  we  will  use  in  the  following  proof  of  anonymity.  In  the  real-or- 
random  game,  the  adversary  commits  to  only  one  point  X*  in  the  Init  phase;  any  of  its  subsequent 
range  queries  must  not  contain  X*;  in  the  Challenge  phase,  the  challenger  either  returns  a  faithful 
encryption  of  Msg  under  X*  or  a  completely  random  ciphertext;  and  the  adversary’s  job  is  to 
distinguish  between  these  two  worlds.  It  is  easy  to  verify  that  the  above  real-or-random  definition 
implies  the  selective-ID  anonymity  definition  as  stated  in  Definition  13.7.21 1  J.3 1 . 

The  proof  of  anonymity  is  carried  out  in  2 DL  steps  using  a  hybrid  argument.  To  do  this,  we 
define  the  following  games,  where  *  represents  a  number  distributed  uniformly  at  random  from  the 
appropriate  group. 


w real  '■ 

The  challenge  ciphertext  is  I 

(c,  CoJc^^c^J,... 

\c{b)  c(a)  n  ■ 

’  Il'(D,L),2’  u(D,L),2l  J  > 

W0  : 

The  challenge  ciphertext  is  1 

(*,c0,  [c^1})1,c^1)a],... 

r  (ft)  (“)  A  . 

J  \C{D,L),n  C(D,L),2l  J  > 

WliM  : 

The  challenge  ciphertext  is  I 

(*>  C0>  h  *L  [C(M),2>  C(l!l),2]’  ■  ■  ■  >  [C(S,L),2.  C(2,L),2])  ; 

Wi^  : 

The  challenge  ciphertext  is  I 

(*,c0,  [*,*],  [*,*],  [c[^2),l 

c(a)  1  fc(b)  c(a)  ]) 

!  c'(l,2),lJ ’  •  •  •  >  Ll(D,L),2’  C(D,L), 21 J 

W D,L,l  '■ 

The  challenge  ciphertext  is  I 

*1  r(a)  ]  \  ■ 

*b  iC(D,L), 2’  C{D,L),2\ )  > 

Wd,l, 2  :  The  challenge  ciphertext  is  (*,  c0,  [*,  [*,  *],  [*,  *]) . 

In  step  (d,  l,n )  of  the  hybrid  argument,  we  show  that  W d,i,n  is  computationally  indistinguish¬ 
able  from  the  previous  world.  Note  that  the  transition  from  W reai  to  Wo  is  the  standard  concept 
of  semantic  security,  and  has  been  proved  in  the  previous  section.  In  addition,  Wc.t.2  is  computa¬ 
tionally  indistinguishable  from  a  completely  random  ciphertext,  hence  is  anonymous. 


40 


We  reduce  the  anonymity  of  our  MRQED  scheme  to  the  hardness  of  the  D-Linear  problem.  We 
rewrite  the  D-Linear  problem  as  given  [g,  gzi,  gZ2,  Y,  gZ2Z4,  gZ3+ZA]  e  G6,  where  z1}  z2,  z3,  z4  are 
picked  at  random  from  Zp,  decide  whether  Y  =  gzl+Z3.  It  is  easy  to  show  that  this  is  equivalent  to 
the  original  D-Linear  problem.  Lor  convenience,  let  g\  =  gZl,  g2  =  gZ2,  g2A  =  gZ2Z4,  #34  =  gZ3+Z4. 
Without  loss  of  generality,  we  show  only  how  to  prove  step  (d\,  1 1 ,  n  1 )  of  the  hybrid  argument. 

Lemma  3.7.8  Suppose  G  satisfies  the  (r,  e)  D-Linear  assumption,  then  no  adversary  making  q 
decryption  key  queries,  within  time  r  —  Q(qDlogT),  can  distinguish  between  W di,h,m  and  the 
preceding  game  with  more  than  e  +  1/p  probability. 

Proof  of  Lemma [3.7.81  Let  ipi  =  (dififi).  We  describe  a  reduction  such  that  if  Y  —  gzl+Z3, 
then  the  simulator  produces  a  ciphertext  in  which  the  block  [c|^  ^  ni,  l]  j  nJ  is  well-formed; 
otherwise,  if  Y  is  picked  at  random,  the  block  is  random  as  well.  Hence,  if  the  adversary  can 
distinguish  between  the  two  scenarios,  the  simulator  can  solve  the  D-Linear  problem. 

Init:  The  adversary  selects  a  point  X*  in  space  that  it  wishes  to  attack.  Define  X*  =  X¥,(X*). 
Setup:  To  create  public  and  private  parameters,  the  simulator  does  the  following: 

1.  Pick  the  following  parameters  at  random  from  Z32DL~3: 


U,  (3<p,m  0<p,m  ^>,n]  <p=(d, l)£[D]x[L],n£[2],(v,n)^(<f  4,114)  ’ 

subject  to  the  constraint  that 


<f=(d,l)e{D]x[L\,n£[2] 


KnZp  ip=(d,l)G[D]  X  [L] 

where  1*  =  X„(X*). 

We  require  that  the  a’s,  /3s,  9’s  and  X’s  are  forcibly  non-zero.  In  addition,  later  in  Equation 
(13.51).  we  will  need  that  +  O'  ni  0.  Hence,  the  simulator  simply  aborts  if  it 

happens  to  pick  6  such  that  6L, ni  =  0-  Note  that  this  happens  with  probability 
1/p,  and  this  explains  why  the  1/p  additive  factor  exists  in  the  adversary’s  advantage  in 
Lemmal3.7.81 

2.  Compute  and  release  to  the  adversary  the  following  public  parameters: 


^  <-  e(p,p)“,a( 

0, 


'<Pi,ni 


<P,n 

! 

if,n 


(g‘r-~gi‘r-"Y'n  <K,n «-  (ge'r-n g\“r'nY" 
(g^g^-'Y-’.b'  -  (g^-g^-Y' 


nt 


X 


nr 

g2  Vl'ni  ; 


¥?= (d,l)e [D]  x  [L\  ,ne [2] , (c/?,n)/(c/?i ,ni ) 


This  posits  that  aVlt ni  =  z\,  (3Vl,ni  =  z2,  both  of  which  are  unknown  to  the  simulator. 

3.  Compute  what  it  can  of  the  private  key: 


9  ;  ‘G1,n1  9li  ^(pijni  *  92i 


3  < —  naV,n 

atp,n  y  ? 

—  gPip,n 

/  f)  P  \OL<priP<p,n 

yv,n  <-  {g°v'ng Xn) 

-  X'^gi 

¥>=(ci,i)G[r>]x[L],nG[2],(^,n)^(v5i,ni) 


Note  that  the  simulator  does  not  know  yvu ni  and  y'vini 


41 


The  following  lemma  shows  that  even  if  we  do  not  know  the  parameters  z\,  z2,  yipii ni  or  y'ni, 
we  can  still  compute  certain  terms  efficiently. 

Lemma  3.7.9  In  step  (d\,  1 \ .  n  \ )  of  the  hybrid  argument,  let  p\  =  (d\,  If,  Suppose  we  are  given 
(d2,l2,  n2)  7^  and  let  p2  =  ( d2,l2 ).  Suppose  IDt  and  ID2  are  nodes  such  that 

&(ID  1)  =  ipi  and  &(ID2)  =  <p2  and  ID2  X*2.  Moreover,  suppose  we  are  given  Ai  G  Zp. 
Then,  even  though  the  simulator  does  know  yP1.n],  it  can  efficiently  generate  the  following  term, 
such  that  the  its  resulting  distribution  is  the  same  as  when  A2  is  picked  uniformly  at  random. 


(% 


y^.ru)  -u/, 


<£i,7ii^<£i,ni 


ID>  > 
<£2,71-2  ^ <£2,7*2 


A 


Moreover,  the  following  two  terms  can  also  be  computed  efficiently 


(3-3) 


Proof:  For  simplicity,  let  a  =  a^2)„2,  (3  =  (3V2,n2-  For  1  G  [2],  we  use  simply  0,  to  denote 
and  9'i  to  denote  0'v.ni.  We  use  simply  02  to  denote  0,P2>n2,  and  (f2  to  denote  9'p2U2.  Notice 
we  do  not  define  9\,  since  0Purn  and  0^  are  not  defined.  Define  for  i  G  [2],  0*  =  0*  ■  /  A  +  9\ 
and  define  @2  =  92  ■  ID2  +  02- 

Recall  that  the  simulator  picked  parameters  such  that  02X*2  +  02  =  0.  In  addition,  since 

ID2  J*2,  and  02  7^  0, 

©2  =  0 2  ■  I D2  +  02  7^  0 

First,  the  simulator  pick  A  uniformly  at  random  and  define 


^2 


z2  A 1 0 1 
a/30  2 


Observe  that  A2  is  distributed  uniformly,  but  we  cannot  compute  A2  efficiently  because  we  do 
not  know  z2.  However,  since  we  know  gZ2,  we  can  compute  gx'2  efficiently.  Hence,  it  follows  that 
we  can  compute  the  two  terms  in  (13.41)  efficiently  in  the  following  way. 


3~a2  _ 


^2 


=  (nX2)-a  b_A2  =  (V2) 

-(£2,712  Vi/  /  ’  U<£2,7*2  Vi/  ) 

It  remains  to  show  how  to  compute  the  term  in  (13.31).  Rewrite  (13.31)  as  below: 

<VIDl  7/  lAl  ■  (vIE>2  7/'  )Aa  =  .  (  aPfo+z&VDi  aPM+ZiSQ 

Vi/<£i,ni  i/(£l,7li )  Vi/ (£2 ,712  i/ <£2 ,712 '  ^  l  i/  ^ 

_^zi22Ai0i+a/3(02+2i©2)(A— Z2 Ai©i/a/302)  _  gCt(3Q 2A  _  /^zi\a/3©2A  _  fgZ2\—  Ai0i©2/©2 

which  can  be  computed  efficiently  given  gzi  and  gZ2.  u 

Phase  1:  Suppose  the  adversary  makes  a  decryption  query  for  the  hyper-rectangle  B(si,  t1: . . . ,  sD,  tD). 
Since  B  does  not  contain  X*,  there  exists  a  dimension  d0  G  [D]  such  that  x*dQ  f  [sdo,tdo\,  where 


x 


do 


is  X*  projected  onto  the  dff  dimension.  Hence,  exactly  one  of  the  following  cases  must  be 


true: 


Case  1:  For  all  ID  G  Adl(B)  such  that  <F(/Z3)  =  ID  XV1(X*). 
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Figure  3.3:  A  2-dimensional  example:  Relative  position  between  X*  and  the  queried  hyper¬ 
rectangle.  (a)  Each  small  rectangle  shown  is  a  simple  rectangle.  Along  dimension  d\,  ranges 
[3, 4]  and  [9, 10]  correspond  to  nodes  at  level  l\.  (b)  The  interval  tree  corresponding  to  dimension 
di. 


Case  2:  There  exists  ID  e  Arfl(B)  such  that  &(ID)  =  ip1  and  ID  =  X¥,1(X*).  Note  that  in  this 
case,  for  all  ID'  e  Adl(B)  such  that  ID'  /  ID,  ID'  ±  X^(X*),  where  p'  =  $(. ID1); 
moreover,  there  exists  a  dimension  d0,  such  that  for  all  ID0  e  Ado(B),  ID0  X  X^X*), 
where  p0  =  <&(ID0). 

FigureEO illustrates  the  above  two  cases  with  a  2-dimensional  example.  We  now  explain  how  the 
simulator  generates  the  decryption  key  in  each  of  the  above  cases. 

Case  1:  (a)  Pick  at  random  [pd}de[D]  £r  G d ,  such  that  ride [z>]  dd  =  ^ ’ • 

(b)  For  each  ID  e  AU(B)  where  p  :=  $(XD)  ^  pi,  pick  at  random  Xida,  ^id,2-  Let 
DK (ID)  =  [k^  l5  [k^  2,  kf^2]  j  represent  the  element  in  DK  for  ID, 

compute  and  release  DK  (ID)  as  below: 


SID,  0 


(a) 

'ID,n 


n  {yi%y'v,n) 


n£[  2] 


-A 


ID,n 


a<£>,n 


,k 


(b) 

ID,n 


i  ^ ID,n 

D(^,n 


ne[  2] 


(c)  For  each  ID  6  AU(B)  such  that  <f>(LD)  =  p1,  the  simulator  can  compute  the  following 
DK  (ID)  efficiently: 


sid, o  <■ 
k(a) 

KID,n 


dck  •  n  (O^n) 

ne[2] 


A  ID,n 


I D  ,n 


itp  i,n 


j  k 


(b) 

ID,n 


i  ^ ID,n 


ne[  2] 


Since  the  simulator  does  not  know  or  yli  ni ,  it  needs  to  use  Lemma  13.7.91  to 

generate  DK(7D).  Let  n'  X  n i  •  To  apply  Lemma  13.7.91  the  simulator  first  picks  at 
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random  A iD,ni,  and  rewrites  kIDfi  as 


^IDfi  ~  ddx 


(v 


ID  v'  ' 


,  A 


I D  ,ni 


(y 


ID  V 
(pi,nr  &  (£>i,n‘ 


■r 


‘ ID,n ’ 


Since  ID  7^  XVl  (X*)  ,  the  simulator  can  apply  Lemmal3.7.9lbv  substituting  (d2,  h,  n2) 
in  the  lemma  with  (di,  li,  n'),  and  Ai  with  A m,nX  in  addition,  both  IDi  and  ID2  in  the 
lemma  are  substituted  with  ID. 

Case  2:  (a)  Pick  at  random  \pd\de[D]  Gr  Zp  such  that  J2de[D]  tJLd  =  u. 

(b)  For  each  ID  G  AU(B)— Arfo(B)  — Adl(B)  where  ip  :=  $(ZD)  =  ( d,l),d  7^  d0andd  7^ 
di,  pick  at  random  XID,i,  Xid,2-  Let  DK (ID)  =  (kIDj0,  [kf^,  kJ^.J,  [kS,2,  kS,2]) 
represent  the  element  in  DK  for  ID,  compute  and  release  DK(  /D)  as  below: 


Atd, 0  9 

k(a) 

KID,n 


Md 


—A 

3</j,n 


n  (». 

n£[2] 


y1  ) 

( p,ntlip,nj 


\  A ID ,1 


ID,n 


(b) 

ID,n 


L  A  ID,n 


n£[  2] 


(c)  Let  JZ7  G  A^(B)  and  ID  =  Z^X*).  There  exists  exactly  one  such  ID.  The  simula¬ 
tor  picks  at  random  \W  ni  eR  Zp.  Define  T  =  (j/^niZ/£,1>ni)  ID’ni- 

(d)  For  each  ID  e  Arfo(B)  where  <^0  =  (d0,  0  :=  $(ZD),  compute  and  release  DK  (ID): 

1  A ID,n 


k/D,0  3^°  •  T  •  n  Kn<o,n)' 

n£[2] 


(a) 

VD,n 


-A/i 

Vo,™ 


)  K 


(b) 

ID,n 


—A id 

Vo,™ 


ra£[2] 


This  implies  that  jl(i0  =  glldo  ■  T.  Note  that  T  cannot  be  computed  efficiently,  as  the 
simulator  does  not  know  yvum  or  y'fii  ni .  However,  since  ID  ^  Xipo(X.*),  the  simulator 
can  apply  Lemmal3.7.9lbv  substituting  (d2,  l2,  n2)  in  the  lemma  with  (d0,  l,  1),  Ai  with 
\jd  ,  ID1  with  ID,  and  ID2  with  /ZL  The  remaining  terms  in  k ID>0  can  be  computed 
efficiently. 


(e)  For  each  ID  e  Adl(B)  where  =  (di,l)  <f>(/Z7)  7^  ipi,  compute  and  release 
DK  (ID): 


n 


This  implies  that  Jldl  =  gMdi  ■  Y”1.  Note  that  Y_1  cannot  be  computed  efficiently,  as  the 
simulator  does  not  know  yVl! ni  or  y'vi^ni .  However,  since  ID  7^  X^  (X*),  the  simulator 
can  apply  Lemma  13.7.91  by  substituting  ( d2,l2,n2 )  in  the  lemma  with  (di,l,l),  X\ 
with  —  A725  ,  ID1  with  ID,  and  ID2  with  ID.  The  remaining  terms  in  k ID  0  can  be 

computed  efficiently. 
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(f)  For  ID,  let  n'  ^  n \ .  Pick  A j^n,  at  random  from  Zp.  Then  compute  and  release  the 
following  DK(7D): 


kid, o  ^  9 


T  X-  11  (y^nV^n 


nG[2] 


TD,n 


^ ID,n  i  (b)  L  ^ID,n 


ID,n 


JVl,n 


-  n£[ 2] 


^ID,n' 


As  before,  here  /i^i  =  g^dl  ■  T  1.  kjp_0  can  be  computed  because  the  terms  containing 

y<Pi,m  and  y'vi  ni  cancel  out,  leaving  kWfl  =  g^i  ■  (y^y'^, 

(g)  For  each  ID  E  A^B)  such  that  &(ID)  =  tpi  and  ID  ^  ID,  compute  and  release 
DK  (ID): 

k/D,0  <-  g Mdi  ■  T-1  •  n  (y™ny'vl,n)XlD,n > 


KID,n 


ne[  2] 

^ ID,n  i  ( 
a^i,n  ,  KiD,n 


J<Pi,n 


ne[  2] 


Again,  to  be  able  to  generate  kIDfi,  Lemma  13.7.91  is  required.  However,  in  this  case,  a 
slight  complication  is  involved,  since  two  terms  in  kIDfi  contain  y^ni  and  7/^ni: 


k!n  =  y^1  T  1  n  004  J' 
n£[  2] 


•  I  yID  y1 


^ID,r i! 


n  oooy 

ne[2] 


=  9h 


yID  v' 


-A 


ID,n-± 


■  (vID  7/'  )  .  (VID  /  \ 

I  \ihpi,n'  yipi,n' ) 


KID,n' 


Now  the  simulator  picks  A iD,m  at  random  from  Z*,  and  computes 


A 


/D,ni 


n 

\  uipi,ni 

^ID,ni  ~ 


-  a(/d) 

/xn  i 


(3.5) 


Here  we  require  that  0^1)ril  •  ID  +  0^,  7^  0.  Notice  that  ID  =  I*x.  As  we  ex¬ 

plained  in  the  Setup  stage,  the  simulator  aborts  if  it  happens  to  pick  9Vl^n u)’s  such 
that  +  9'Vlini  =  0.  Hence, 


k/D,o  =  9 


yID  y'  O’" 

yipuniifipitni  I 


(y< 


ID  ?/ 
(pi,n'  y  (pi,n‘ 


I 


' ID,n ’ 


And  now  the  simulator  can  apply  Lemmal3.7.9lbv  substituting  (d2.  /2,  n2)  in  the  lemma 
with  (di,  li,  n'),  Ai  with  XiD,ni,  ID\  with  ID,  and  ID2  with  ID. 

Challenge:  On  receiving  a  message  Msg  from  the  adversary,  the  simulator  does  the  following: 
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1.  Pick  random  integers  [^,n^=(di0e[D]x[L]>„G[2]  e  Z2pDL. 

2.  Compute  and  release  the  following  as  the  ciphertext. 


*,  gt 4,  [*,*],•■■»  b  *L  {gl , 

n^5+0js,n)  (^34  •  g~rV,'n-^0‘‘f’’n{^‘p’rl^'‘P~^^i 


-  (di ,li,ni)<(d,l,n)<(D,L,2),<p=(d,l) 


where  (d,  l,  n )  <  (<f,  l',  n’)  if  and  only  if  1)  d  <  d';  or  2)  d  =  d!  and  l  <  l';  or  3)  (d,  /)  = 
(ef,  l')  and  n  <  v! . 

Note  that  this  implies  that  r  =  +  £4  and  rVl>ni  =  /~4.  If  F  =  r/zlZ3,  it  is  easy  to  verify  that  the 

ciphertext  is  well-formed,  due  to  the  fact  that 


\P<p,n^tp  +  ®ip,n  0]  (d,l,n)^(di,h,ni),<p=(d,l) 

If  Y  is  a  random  number,  then  term  lx  }  ni  is  random  and  independent  of  the  remaining  terms  of 
the  ciphertext. 

Phase  2:  Phase  1  is  repeated. 

Guess:  If  the  adversary  guesses  that  the  ciphertext  is  an  encryption  of  Msg  under  X*,  the  simulator 
guesses  that  Y  =  gZ;i+Z4 .  Else  if  the  adversary  guesses  that  the  ciphertext  is  the  encryption  under  a 
random  point,  then  the  simulator  guesses  that  Y  is  picked  at  random  from  G.  ■ 

Proof  of  Theorem  13.7.71  The  theorem  follows  naturally  from  Lemma  13.7.81  and  the  hybrid 
argument.  ■ 
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Chapter  4 

Delegating  Capabilities  in  Predicate 
Encryption 


In  this  chapter,  we  demonstrate  how  to  add  delegation  to  predicate  encryption  systems.  We  first 
give  the  formal  definition  for  delegation  in  predicate  encryption,  including  definitions  of  security. 
While  our  big  goal  is  to  support  expressive  query  predicates,  as  an  initial  step  towards  this  vision, 
we  shall  first  add  delegation  to  predicate  systems  supporting  conjunctive  queries.  In  particular, 
we  add  delegation  to  an  HVE-like  construction;  and  we  call  the  new  scheme  Delegatable  Hidden 
Vector  Encryption  (dHVE).  The  technical  contents  of  this  paper  has  been  published  in  ICALP 

2008  S- 


4.1  Definitions 

We  introduce  the  notion  of  delegation  in  predicate  encryption  systems  and  provide  a  formal  defi¬ 
nition  of  security. 

In  a  predicate  encryption  system,  some  user,  Alice,  creates  a  public  key  and  a  corresponding 
master  key.  Using  her  master  key,  Alice  can  compute  and  hand  out  a  token  to  Bob,  such  that  Bob 
is  able  to  evaluate  some  function1,  /,  on  the  plaintext  that  has  been  encrypted.  Meanwhile,  Bob 
cannot  learn  any  more  information  about  the  plaintext,  apart  from  the  output  of  the  function  /. 

In  this  thesis,  we  consider  the  role  of  delegation  in  predicate  encryption  systems.  Suppose 
Alice  (the  master  key  owner)  has  given  Bob  tokens  to  evaluate  a  set  of  functions  fi,  /2, . . . ,  fm 
over  ciphertexts.  Now  Bob  wishes  to  delegate  to  Charles  the  ability  to  evaluate  the  functions 
{/i  +  f‘i •  ,/':v  .A}  over  the  ciphertext.  Charles  should  not  be  able  to  leam  more  information  about 
the  plaintext  apart  from  the  output  of  the  functions  {/i  +  /2,  /3,  /zt}.  For  example,  although  Charles 
can  evaluate  /i  +  /2,  he  should  not  be  able  to  leam  j\  or  /2  separately.  In  general,  Bob  may  be 
interested  in  delegating  any  set  of  functions  that  is  more  restrictive  than  what  he  is  able  to  evaluate 
with  his  tokens.  In  general,  a  user  who  has  a  delegated  capability  can  in  turn  create  an  even  more 

'Although  we  focus  on  functions  that  are  predicates  in  our  solutions,  we  use  the  more  general  term  of  functions  in 
this  discussion  and  our  formal  definitions. 
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restricted  capability.  For  example,  after  obtaining  a  token  from  Bob  for  functions  {/i  +  f-2-  /:s-  .A}, 
Charles  may  now  decide  to  delegate  to  his  friend  David  a  token  to  evaluate  f3  ■  /4. 


4.1.1  Definition 


We  now  formally  define  delegation  in  predicate  encryption  systems  that  captures  the  above  notion. 

Let  X  =  (xi,  x2, . . . ,  xf)  G  (0, 1}{  denote  a  plaintext.  Without  loss  of  generality,  assume  that 
we  would  like  to  evaluate  from  the  ciphertext  boolean  functions  (a.k.a.  predicates)  on  X.  Functions 
that  output  multiple  bits  can  be  regarded  as  concatenation  of  boolean  functions.  Let  J~  denote  the 
set  of  all  boolean  functions  from  {0,  l}e  to  {0, 1},  i.e.,  T  :=  {/  |  /  :  {0, 1}^  — >  {0, 1}}. 

We  define  a  token  as  a  capability  that  allows  one  to  evaluate  from  the  ciphertext  a  set  of  func¬ 
tions  on  X.  Tokens  will  be  associated  with  a  set  Q  =  {g1:  g2, . . . ,  gm}  C  T  that  can  compute  a 
subset  of  all  available  functions.  We  remark  that  a  token  might  be  represented  much  more  succintly 
than  \Q\.  For  instance,  if  one  had  the  capability  to  learn  each  individual  bit  of  X  one  could  have  a 
small  token,  but  still  compute  all  22  predicate  functions  on  the  input. 

A  delegatable  Predicate  Encryption  (DPE)  scheme  consists  of  the  following  (possibly  random¬ 
ized)  algorithms. 

Setup{  1A)  The  Setup  algorithm  takes  as  input  a  security  parameter  1A  and  outputs  a  public  key 
PK  and  a  master  secret  key  MSK. 

Encrypt{ PK,  X)  The  Encrypt  algorithm  takes  as  input  a  public  key  PK  and  a  plaintext  X  = 
(xi,  x2, . . . ,  xe)  G  (0, 1 Y  and  outputs  a  ciphertext  CT. 

GenToken{ PK,  MSK,  Q)  The  GenToken  algorithm  takes  as  input  a  public  key  PK,  master  secret 
key  MSK,  and  a  set  of  boolean  functions  Q  C  T .  It  outputs  a  token  for  evaluating  the  set  of 
functions  Q  from  a  ciphertext. 

Query{ PK,  TK g,  CT,  /)  The  Query  algorithm  takes  as  input  a  public  key  PK,  a  token  TKg  for 
the  function  family  Q,  a  function  /  G  Q,  and  a  ciphertext  CT.  If  CT  is  an  encryption  of  the 
plaintext  X,  then  the  algorithm  outputs  f(X). 

Delegate^ PK,  TKg,  Q')  The  Delegate  algorithm  takes  as  input  a  public  key  PK,  a  token  for  the 
function  family  Q  C  T ,  and  Q'  C  Q.  It  computes  a  token  for  evaluating  the  function  family 
Q'  on  a  ciphertext. 

Remark  4.1.1  We  note  that  the  above  definition  captures  delegation  in  predicate  encryption  sys¬ 
tems  in  the  broadest  sense.  In  a  predicate  encryption  system,  we  would  like  to  maximize  the  ex¬ 
pressiveness  of  delegation;  however,  one  should  not  be  able  to  delegate  beyond  what  she  can  learn 
with  her  own  tokens.  Otherwise,  the  security  of  predicate  encryption  would  be  broken. 


Since  we  care  about  being  able  to  perform  expressive  delegations,  we  can  judge  a  system  by  its 
expressiveness,  e.g.,  what  types  of  functions  one  can  evaluate  over  the  ciphertext,  and  what  types 
of  delegations  one  can  perform.  Our  vision  is  to  design  a  predicate  encryption  system  that  supports 
a  rich  set  of  queries  and  delegations.  As  an  initial  step,  we  restrict  ourselves  to  some  special  classes 
of  functions.  At  the  time  this  research  is  being  conducted,  the  most  expressive  predicate  encryption 
system  (without  delegation)  we  know  of  supports  conjunctive  queries  12];  we  focus  our  efforts  on 
permitting  delegation  in  such  systems. 
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More  recently,  Katz,  Sahai,  and  Waters  proposed  a  novel  predicate  encryption  system  support¬ 
ing  inner  product  queries  28]  and  realized  a  more  expressive  system.  An  interesting  open  direction 
is  to  figure  out  what  types  of  delegation  one  might  realize  in  their  system. 


4.1.2  Security 

We  now  define  the  security  for  delegation  in  predicate  encryption  systems.  We  describe  a  query 
security  game  between  a  challenger  and  an  adversary.  This  game  formally  captures  the  notion  that 
the  tokens  reveal  no  unintended  information  about  the  plaintext.  The  adversary  asks  the  challenger 
for  a  number  of  tokens.  For  each  queried  token,  the  adversary  gets  to  specify  its  path  of  derivation: 
whether  the  token  is  directly  generated  by  the  root  authority,  or  delegated  from  another  token.  If 
the  token  is  delegated,  the  adversary  also  gets  to  specify  from  which  token  it  is  delegated.  The 
game  proceeds  as  follows: 

Setup.  The  challenger  runs  the  Setup  algorithm  and  gives  the  adversary  the  public  key  PK. 

Query  1.  The  adversary  adaptively  makes  a  polynomial  number  of  queries  of  the  following  types: 

•  Create  token.  The  adversary  asks  the  challenger  to  create  a  token  for  a  set  of  functions 
Q  C  T .  The  challenger  creates  a  token  for  Q  without  giving  it  to  the  adversary. 

•  Create  delegated  token.  The  adversary  specifies  a  token  for  function  family  Q  that  has 
already  been  created,  and  asks  the  challenger  to  perform  a  delegation  operation  to  create 
a  child  token  for  Q'  C  Q.  The  challenger  computes  the  child  token  without  releasing  it 
to  the  adversary. 

•  Reveal  token.  The  adversary  asks  the  challenger  to  reveal  an  already-created  token  for 
function  family  Q . 

Note  that  when  token  creation  requests  are  made,  the  adversary  does  not  automatically  see 
the  created  token.  The  adversary  sees  a  token  only  when  it  makes  a  reveal  token  query. 

Challenge.  The  adversary  outputs  two  strings  X£,  X{  e  {0, 1}£  subject  to  the  following  con¬ 
straint: 

For  any  token  revealed  to  the  adversary  in  the  Query  1  stage,  let  Q  denote  the  function  family 
corresponding  to  this  token.  For  all  f  E  Q,  f(X g)  =  f(X^). 

Next,  the  challenger  flips  a  random  coin  b  and  encrypts  X£.  It  returns  the  ciphertext  to  the 
adversary. 

Query  2.  Repeat  the  Query  1  stage.  All  tokens  revealed  in  this  stage  must  satisfy  the  same 
condition  as  above. 

Guess.  The  adversary  outputs  a  guess  b'  of  b.  The  advantage  of  an  adversary  A  in  the  above  game 
is  defined  to  be  Adv^  =  |  Pr[6  =  b')  —  1/2 1 . 

Definition  4.1.1  We  say  that  a  delegatable  predicate  encryption  system  is  secure  if  for  all  polynomial- 
time  adversaries  A  attacking  the  system,  its  advantage  Ad  is  a  negligible  function  of  A. 
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Selective  security 


We  also  define  a  weaker  security  notion  called  selective  security.  In  the  selective  security  game, 
instead  of  submitting  two  strings  ,  X *  in  the  Challenge  stage,  the  adversary  first  commits  to 
two  strings  at  the  beginning  of  the  security  game.  The  rest  of  the  security  game  proceeds  exactly 


as  before.  The  selective  security  model  has  been  used  earlier  in  the  literature  1121  111  111  id  UJ 


We  say  that  a  delegatable  predicate  encryption  system  is  selectively  secure  if  all  polynomial 
time  adversaries  A  have  negligible  advantage  in  the  selective  security  game. 

Remark  4.1.2  We  note  that  our  security  definition  is  complete  in  the  sense  that  in  the  query  phase, 
the  adversary  gets  to  specify,  for  each  queried  token,  its  path  of  derivation:  whether  the  token 
is  generated  by  the  root  authority,  or  from  whom  the  token  has  been  delegated.  In  prior  work 
on  delegation  in  identity-based  encryption  systems  (e.g.,  Hierarchical  Identity- Based  Encryption 
(HIBE)  /0/,  Anonymous  Hierarchical  Identity-Based  Encryption  (AHIBE)  /f/H/i.  the  security  game 
was  under-specified.  In  these  definitions,  the  adversary  did  not  get  to  specify  from  whom  each 
queried  token  is  delegated. 

One  way  to  deal  with  this  is  to  create  systems  where  all  tokens  are  generated  from  the  same 
probability  distribution.  For  instance,  the  AHIBE  13 ]  work  uses  this  approach.  While  this  allows 
us  to  prove  the  security  of  these  systems,  it  can  be  an  overkill.  Under  our  security  definition,  the 
delegated  token  need  not  be  picked  from  the  same  probability  distribution  as  the  non-delegated 
tokens.  In  fact,  we  show  that  the  ability  to  capture  such  nuances  in  our  security  definition  allows 
us  to  construct  a  simpler  AHIBE  scheme  with  smaller  private  key  size. 


4.1.3  A  simple  example 

To  help  understand  the  above  definition,  we  give  a  simple  example  similar  to  that  in  the  BW06 
paper  ill  2ll.  As  shown  by  Figure  l4~Tl  the  point  X  encrypted  takes  on  integer  values  between  0  and 
T .  Given  a,  b  G  [0,  T],  let  fa  lj  denote  the  function  that  decides  whether  X  e  [a,  b\: 


fa,b(X ) 


1  X  £  [a,  b] 

0  o.w. 


In  Figure  14711  we  mark  three  disjoint  segments  [ai,  a2],  [a3,  a4],  [a5,  a6]  and  four  points  x,  y,  z,  u. 
Alice  has  a  token  for  functions  {fai,a2,  /a3,a4,  /a5,a6}-  This  allows  her  to  evaluate  the  following 
three  predicates:  whether  ai  <  X  <  a2,  a3  <  X  <  a4,  and  a5  <  X  <  a6.  Alice  can  now 
distinguish  between  ciphertexts  Encrypt{ PK,x)  and  Encrypt(PK,y),  but  she  cannot  distinguish 
between  ciphertexts  Encrypt (PK,  if)  and  Encrypt{ PK,  z). 

Alice  performs  a  delegation  and  computes  a  child  token  for  the  function  g(X)  =  fai>a2( X)  V 
,/o,3 .a a  (X),  and  Bob  receives  this  delegated  token  from  Alice.  Bob  can  decide  whether  (ai  < 
X  <  a2)  V  (a3  <  X  <  a4);  this  is  a  subset  of  information  allowed  by  Alice’s  token.  Given 
this  new  token,  Bob  can  decide  whether  X  falls  inside  these  two  ranges,  but  he  cannot  decide 
between  the  cases  whether  X  e  [ai,a2]  or  X  e  [a3,a4].  For  example,  Bob  can  distinguish 
between  the  ciphertexts  Encrypt  (PK,  x)  and  Encrypt(  PK,  u).  but  he  cannot  distinguish  between 
the  ciphertexts  Encrypt  (PK,  x)  and  Encrypt{  PK,  y). 
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0  CL  i  CL2  a3  a4  a5  a6  T 


Figure  4.1:  A  simple  example  of  predicate  encryption  similar  to  the  one  described  in  BW06  E3- 


4.2  Delegatable  Hidden  Vector  Encryption  (dHVE) 


We  propose  a  primitive  called  delegatable  hidden  vector  encryption  (dHVE),  where  we  add  dele¬ 
gation  to  the  HVE  construction  proposed  in  BW06  111 211.  This  is  an  interesting  special  case  to  the 
general  definition  given  in  Sectionl4.1.1l  and  represents  an  initial  step  toward  our  bigger  vision  of 
enabling  expressive  queries  and  delegations  in  predicate  encryption  systems. 


4.2.1  Delegatable  HVE  overview  (dHVE) 

In  our  dHVE  system,  a  plaintext  consists  of  multiple  “fields”.  For  example,  a  plaintext  can  be  the 
tuple  (IP,  PORT,  TIME,  length).  A  token  corresponds  to  a  conjunction  of  a  subset  of  these  fields: 
we  can  fix  a  field  to  a  specific  value,  make  a  field  “delegatable”,  or  choose  not  to  include  a  field 
in  a  query.  For  example,  the  query  (IP  =  ?)  A  (port  =  80)  A  (time  =  02/10/08)  fixes  the 
values  of  the  PORT  and  time  fields,  and  makes  the  IP  field  delegatable.  The  LENGTH  field  is  not 
included  in  the  query.  A  party  in  possession  of  this  token  can  fill  in  any  appropriate  value  for  the 
delegatable  field  IP;  however,  she  cannot  change  the  values  of  a  fixed  field  such  as  PORT  or  delete 
them  from  the  query,  nor  can  she  add  in  the  missing  field  LENGTH  to  the  query.  We  now  give 
formal  definitions  for  the  above  notions. 

Let  £  denote  a  finite  alphabet  and  let  ? ,  _L  denote  two  special  symbols  not  in  £.  Define  £?ij_  :  = 
£  U  {? ,  _L}.  The  symbol  ?  denotes  a  delegatable  field,  i.e.,  a  field  where  one  is  allowed  to  fill  in  an 
arbitrary  value  and  perform  delegation.  The  symbol  _L  denotes  a  “don’t  care”  field,  i.e.,  a  field  not 
involved  in  some  query.  Typically,  if  a  query  predicate  does  not  concern  a  specific  field,  we  call 
this  field  a  “don’t  care”  field.  In  the  aforementioned  example,  (IP  =  ?)  A  (PORT  =  80)  A  (time  = 
02/10/08),  the  IP  field  is  delegatable,  length  is  “don’t  care”,  and  the  remaining  fields  are  fixed. 

Plaintext  Space.  In  dHVE,  our  plaintext  is  composed  of  a  message  Msg  G  (0, 1}*  and  £  fields, 
denoted  by  X  =  (xi,x2, . . .  ,  x^)  G  T,e.  Capabilities  will  be  evaluated  over  X,  and  the  Msg 
component  is  an  extra  message  that  will  be  divulged  in  case  the  predicate  evaluates  to  true. 

The  Encrypt  algorithm  takes  as  input  a  public  key  PK,  a  pair  (X,  Msg)  G  (0, 1}*  x  £f,  and 
outputs  a  ciphertext  CT. 

Tokens.  In  dHVE,  a  token  allows  one  to  evaluate  a  special  class  of  boolean  functions  on  the 
fields  X  G  ££.  We  use  a  vector  a  =  (a1}  a2, . . . ,  <7i)  G  (£?jj _)£  to  specify  a  set  of  functions  being 
queried.  Given  a,  let  >V(cr)  denote  the  indices  of  all  delegatable  fields,  let  'D(a)  denote  the  indices 
of  all  “don’t  care”  fields,  and  let  «S(cr)  denote  the  indices  of  the  remaining  fixed  fields.  In  the 
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following,  we  use  the  notation  [I]  to  denote  the  set  {1,2....,  £}. 


W(a )  :=  {i  |  Oi  =  ?},  V(o)  :=  {i  \  ot  =  _L} 
5(a)  :=  {i  I  a,  G  £}  =  [£]\ (W(a)  U  V(o)) 


Let  a  =  (ai,  a2, . . . ,  of)  G  (£?,j _)€;  a  specifies  the  following  function  family  Ca  on  the  point 
A"  =  (ay, ... ,  ay)  encrypted: 


:= 


A  (*i  =  ai) 


U'e5(cr) 


W'  C  W(<t),Vz  G  IE',  a* 


(4.1) 


In  other  words,  given  a  token  for  a,  the  family  CCT  denotes  the  set  of  functions  we  can  evaluate 
from  a  ciphertext.  For  the  delegatable  fields,  we  can  fill  in  any  appropriate  value,  but  we  cannot 
change  or  delete  any  of  the  fixed  fields  or  add  a  “don’t  care”  field  to  the  query.  If  any  function  in 
Ca  evaluates  to  1,  one  would  also  be  able  to  decrypt  the  payload  message  Msg. 

Remark  4.2.1  The  family  Ca  is  a  set  of  conjunctive  equality  tests,  where  we  can  fill  in  every  del- 
egatable  field  in  a  with  a  value  in  £  or  “don  7  care  In  particular,  we  fill  in  fields  in  XV'  with 
appropriate  values  in  o,  and  for  the  remaining  delegatable  fields  XV(o)  —  XV',  we  fill  them  with 
“don’t  care”.  If  a  has  no  delegatable  field,  then  the  set  Ca  contains  a  single  function.  This  is 
exactly  the  case  considered  by  the  original  HVE  construction,  where  each  token  allows  one  to 
evaluate  a  single  function  from  a  ciphertext. 


Delegation.  In  dHVE,  Alice,  who  has  a  token  for  a,  can  delegate  to  Bob  a  subset  of  the  functions 
she  can  evaluate:  1)  Alice  can  fill  in  delegatable  fields  (i.e.,  W(a))  with  a  value  in  £  or  with  the 
“don’t  care”  symbol  _L;  2)  Alice  can  also  leave  a  delegatable  field  unchanged  (with  the  ?  symbol). 
In  this  case,  Bob  will  be  able  to  perform  further  delegation  on  that  field. 

Definition  4.2.1  Let  o  =  (ay,  a2, . . . ,  ay),  o'  =  (aj,  o'2, . . . ,  o'e)  G  £:i  ±.  We  say  that  o'  -<  a,  if  for 
all  i  G  5(a)  U  T>(o),  o\  =  a,. 

Note  that  o'  -<  a  means  that  from  TKCT  we  can  perform  a  delegation  operation  and  compute  TKCT/. 
In  addition,  if  o'  -<  a,  then  Ca>  C  CG,  i.e.,  TK ai  allows  one  to  evaluate  a  subset  of  the  functions 
allowed  by  TKo-. 

In  summary,  we  introduce  delegatable  fields  to  the  original  HVE  construction.  We  use  the 
notation  a  G  £(  j_  to  specify  a  function  family.  Given  TKa,  one  can  perform  a  set  of  conjunctive 
equality  tests  (defined  by  Equation  (14.11) )  from  the  ciphertext.  One  may  also  fill  in  the  delegatable 
fields  in  a  with  any  value  in  £  U  { _L}  and  compute  a  child  token  for  the  resulting  vector.  The  child 
token  allows  one  to  evaluate  a  subset  of  the  functions  allowed  by  the  parent  token. 

Example.  The  trusted  authority  T  issues  to  A  a  token  for  oa  =  (Xi,X2,  _L).  This 

token  allows  A  to  evaluate  the  following  functions  from  the  ciphertext: 

•  (xi  =  2i)  A  (x2  =  Tf) 

•  VZ3  G  £  :  {x\  =  If)  A  (x2  =  Tf)  A  (x3  =  Z3) 
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•  VZ4  €  £  :  (xi  =  Z3)  A  (x2  =  Z2)  A  (x4  =  Z4) 

•  VZ3,Z4  G  £  :  (xi  =  Zi)  A  (z2  =  Z2)  A  (x3  =  Z3)  A  (x4  =  Z4) 

Later,  A  delegates  to  B  the  token  a b  =  (I\, Z2, Z3,  ?,  _L,  _L, . . . ,  _L),  where  Z3  G  £.  Note  that 
this  allows  B  to  evaluate  the  following  functions: 

•  (xi  =  Z4)  A  (x2  =  Z2)  A  (x3  =  Z3) 

•  VZ4  G  £  :  (x4  =  Zi)  A  (x2  =  Z2)  A  (x3  =  Z3)  A  (x4  =  Z4) 

Clearly,  a  token  for  erg  releases  a  subset  of  information  allowed  by  a  a-  Meanwhile,  B  is  able 
to  further  delegate  on  the  x4  field. 


4.2.2  dHYE  definition 


We  now  give  a  formal  definition  of  dHVE. 

Setup  (lx).  The  Setup  algorithm  takes  as  input  a  security  parameter  1A  and  outputs  a  public  key 
PK  and  a  master  secret  key  MSK. 

Encrypt (PK,  X,  Msg).  The  Encrypt  algorithm  takes  a  public  key  PK  and  a  pair  (A,  Msg)  G 
Ye  x  {0, 1}*,  and  outputs  a  ciphertext  C. 

GenToken{ PK,  MSK,  a).  The  GenToken  algorithm  takes  as  input  a  public  key  PK,  a  master  se¬ 
cret  key  MSK,  and  a  vector  a  G  (£?1j_)^.  It  outputs  a  token  for  evaluating  the  set  of  conjunc¬ 
tive  queries  Ca  from  a  ciphertext. 

Delegate^ PK,  TKCT,  a').  The  Delegate  algorithm  takes  as  input  a  public  key  PK,  a  token  TKCT  for 
the  vector  a,  and  another  vector  a'  -<  a.  It  outputs  a  delegated  token  TKCT/  for  the  new  vector 
a'. 

Query{ PK,  TK^,  CT,  a').  The  Query  algorithm  takes  as  input  a  public  key  PK,  a  token  TKCT  for 
the  vector  a,  a  ciphertext  CT,  and  a  new  vector  a'  satisfying  the  following  conditions:  (1) 
a'  -<  a;  (2)  a '  does  not  contain  delegatable  fields,  that  is,  such  a  o'  specifies  a  single  con¬ 
junctive  query  (denoted  fa>  )  over  the  point  X  encrypted.  The  algorithm  outputs  f^iX);  if 
fcr'(X)  =  1,  it  also  outputs  the  message  Msg. 


Remark  4.2.2  In  comparison  to  the  general  definition  given  in  Section  I4.il  in  dHVE,  we  add  a 
payload  message  Msg  e  {0, 1}*  to  the  plaintext.  Meanwhile,  the  conjunctive  queries  in  dHVE 
are  functions  on  the  attributes  X  G  Yf,  but  not  the  payload  Msg.  In  addition,  if  a  query  matches 
a  point  X  encrypted,  one  can  successfully  decrypt  the  payload  message  using  the  corresponding 
token.  It  is  not  hard  to  show  that  the  above  formalization  for  dHVE  is  captured  by  the  general 
definition  given  in  Section |4T}  We  can  regard  (Msg,  X)  as  an  entire  bit  string,  and  decrypting  the 
payload  Msg  can  be  regarded  as  evaluating  a  concatenation  of  bits  from  the  bit  string  (Msg,  A"). 
We  choose  to  define  dHVE  with  a  payload  message  to  be  consistent  with  the  HVE  definition  in 
BW06  J/3/. 
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Selective  security  of  dHVE.  We  will  prove  the  selective  security  of  our  dHVE  construction.  We 
give  the  formal  selective  security  definition  below.  The  full  security  definition  for  dHVE  can  be 
found  in  Section  14771 

•  Init.  The  adversary  commits  to  two  strings  Xq,  X*  e  E/:. 

•  Setup.  The  challenger  runs  the  Setup  algorithm  and  gives  the  adversary  the  public  key  PK. 

•  Query  1.  The  adversary  adaptively  makes  a  polynomial  number  of  “create  token”,  “create 
delegated  token”,  or  “reveal  token”  queries.  The  queries  must  satisfy  the  following  con¬ 
straint:  For  any  token  a  revealed  to  the  adversary,  let  Ca  denote  the  set  of  conjunctive  queries 
corresponding  to  this  token. 

V  TKct  revealed,  V/eCff:  f(X*)  =  f(X*)  (4.2) 

•  Challenge.  The  adversary  outputs  two  equal-length  messages  Msg0  and  Msg,  subject  to 
the  following  constraint: 

For  any  token  a  revealed  to  the  adversary  in  the  Query  1  stage,  let  Ca  denote  the  set  of 
conjunctive  queries  corresponding  to  this  token. 

V  TKct  revealed  :  if  3/  e  Ca,  f(X^)  =  f(X*)  =  1,  then  Msg0  =  Msgx  (4.3) 

The  challenger  flips  a  random  coin  b  and  returns  an  encryption  of  (Msgb,  Xh)  to  the  adver¬ 
sary. 

•  Query  2.  Repeat  the  Query  1  stage.  All  tokens  revealed  in  this  stage  must  satisfy  constraints 
(l4~2l  and  (IQ). 

•  Guess.  The  adversary  outputs  a  guess  b'  of  b. 

The  advantage  of  an  adversary  A  in  the  above  game  is  defined  to  be  Adv^  =  Pr[b  =  b'\  —  1/2 1 . 
We  say  that  a  dHVE  construction  is  selectively  secure  if  for  all  polynomial  time  adversaries,  its 
advantage  in  the  above  game  is  a  negligible  function  of  A. 

Observation  4.2.1  Anonymous  Hierarchical  Identity-Based  Encryption  (AHIBE)  is  a  special  case 
of  the  above-defined  dHVE  scheme. 

AHIBE  is  very  similar  to  the  dHVE  definition  given  above.  The  only  difference  is  that  in 
AHIBE,  the  function  family  queried  is  Ca,  where  cr  has  the  special  structure  such  that  S(a)  =  \d] 
where  d  E  \fi],  W(cr)  =  [d  +  1,  £],  and  'D(a)  =  0.  In  fact,  we  show  that  the  new  security  definition 
and  the  techniques  we  use  to  construct  dHVE  can  be  directly  applied  to  give  an  AHIBE  scheme 
with  shorter  private  key  size.  While  the  previous  AHIBE  scheme  by  Boyen  and  Waters  requires 
0(D 2)  private  key  size,  our  new  construction  has  0(D)  private  key  size,  where  D  is  the  maximum 
depth  of  the  hierarchy.  See  Section  l4~8l  for  details  of  the  construction. 


4.3  Background  on  Pairings  and  Complexity  Assumptions 

Our  construction  relies  on  bilinear  groups  of  composite  order  n  =  pqr,  where  p,  q,  and  r  are 
distinct  large  primes.  We  now  give  a  background  review  on  bilinear  groups  of  composite  order. 
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Let  GG  be  an  algorithm  called  a  group  generator.  Algorithm  GG  takes  as  input  a  secu¬ 
rity  parameter  A  E  Z>0,  a  number  k  E  Z>0,  and  outputs  a  tuple  (p,  q,  r1;  r2, . . . ,  rk,  G,  Gr,  e) 
where  p,q,r1,r2, . . .  ,rk  are  &  +  2  distinct  primes,  G  and  Gr  are  two  cyclic  groups  of  order 
n  =  pq  nli  A,  and  e  is  a  function  e  :  G2  — >  G t  satisfying  the  following  properties: 

•  (Bilinear)  Vu,  v  E  G,  Va,  b  E  Z,  e(wa,  ub)  =  e(w,  u)afc. 

•  (Non-degenerate)  6  G  such  that  e(g,  g)  has  order  n  in  Gr- 

We  assume  that  the  group  operations  in  G  and  Gr  as  well  as  the  bilinear  map  e  are  all  computable 
in  time  polynomial  in  A.  We  also  assume  that  the  description  of  G  and  G t  includes  generators  of 
G  and  GT  respectively. 

We  use  the  notation  Gp,  Gq.  Gn , . . . ,  Grk  to  denote  the  respective  subgroups  of  order  p,  q, 
ri, . . . ,  rk  of  G.  Similarly,  we  use  the  notation  G t,p,  G r,q,  G x,ri,  ■  ■  ■ ,  G x,rk  to  denote  the  respective 
subgroups  of  order  p,  q,  ri, . . . ,  rk  of  G t- 

Our  construction  relies  on  two  complexity  assumptions:  the  Bilinear  Diffie-Hellman  assump¬ 
tion  (BDH)  and  the  generalized  composite  3-party  Diffie-Hellman  assumption  (C3DH).  Although 
our  construction  requires  only  bilinear  groups  whose  order  is  the  product  of  three  primes  n  =  pqr, 
we  state  our  assumptions  more  generally  for  bilinear  groups  of  order  n  where  n  is  the  product  of 
three  or  more  primes. 

We  begin  by  defining  some  notation.  We  use  the  notation  GG  to  denote  the  group  generator 
algorithm  that  takes  as  input  a  security  parameter  A  E  Z>0,  a  number  k  E  Z>0,  and  outputs  a  tuple 
(p,  q,  r i,  r2, . . . ,  rk,  G,  Gr,  e)  where  p,  q ,  r±,  r2, . . . ,  rk  are  k  +  2  distinct  primes,  G  and  G t  are  two 
cyclic  groups  of  order  n  =  pq  nti  r'i,  and  e  :  G2  — ►  G t  is  the  bilinear  mapping  function.  We  use 
the  notation  Gp,  Gg,  Gri, . . . ,  Grfc  to  denote  the  respective  subgroups  of  order  p,  q,  r1, ...  ,rk  of  G. 
Similarly,  we  use  the  notation  G t,p,  G r,q,  G T,n,  ■  ■  ■  ■  G r,rk  to  denote  the  respective  subgroups  of 
order  p,  q,r±, ...  ,rk  of  G  t- 

The  Bilinear  Diffie-Hellman  assumption.  We  review  the  standard  Bilinear  Diffie-Hellman  as¬ 
sumption,  but  in  groups  of  composite  order.  For  a  given  group  generator  GG  define  the  following 
distribution  P( A): 


(p,q,ri,...,rk,G,GT,e)  G-  GG(A,  k),  n  <-  pqY^=iri, 
gp  <—  Gp,  gq  <—  Gq,  hi  <—  Gri,  . . . ,  hk  *—  Grk 
a,b,c  Z n 

Z  <-  ((n,G,GT,e),  gq,  gp,  hi,  h2,  ...,  hk,  gp,  gbpl  gp) 

T  <-  e(gp,  gp)abc 

Output  (Z,  T) 

Define  algorithm  Al’s  advantage  in  solving  the  composite  Bilinear  Diffie-Hellman  problem  as 
cBDHAdvGGi^(A)  :=  |Pr[^(Z,T)  =  1]  -  Pr [A(Z,R)  =  1]| 

where  (Z,  T )  P{ A)  and  R  <—  G t,p-  We  say  that  GG  satisfies  the  composite  Bilinear  Diffie- 

Hellman  assumption  (cBDH)  if  for  any  polynomial  time  algorithm  A,  cBDH  AdvGGi_4(A)  is  a  neg¬ 
ligible  function  of  A. 
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The  generalized  composite  3-party  Diffie-Hellman  assumption.  We  also  rely  on  the  composite 
3-party  Diffie-Hellman  assumption  first  introduced  by  Boneh  and  Waters  [12].  For  a  given  group 
generator  GG  define  the  following  distribution  P( A): 


(p,q,ri,...,rk,G,GT,e)  GG(A ,k),  n  <-  pqULi 
gp  <—  Gp,  gq  <—  Gg,  h\  <—  Gri,  . . . ,  hk  Grfc 
R1,R2,Rs  ^  Gg,  a,b,c£-  Zn 

((n, G, G 71 , e),  gg,  t/p,  /ii,  /i2,  •  ••,  hk ,  gp,  gPi  gp  R\i  gp  R2) 

T  <-  gp-  R3 

Output  ( Z ,  T ) 

Define  algorithm  .A’s  advantage  in  solving  the  generalized  composite  3-party  Diffie-Hellman  prob¬ 
lem  for  GG  as  C3DH  AdvGGi^(A)  :=  |Pr [A(Z,T)  =  1]  -  Pt[A(Z,R)  =  1]|,  where  (Z,T)  £- 
P( A)  and  R  G.  We  say  that  GG  satisfies  the  composite  3-party  Diffie-Hellman  assumption 
(C3DH)  if  for  any  polynomial  time  algorithm  A,  its  advantage  C3DH  AdvGG  ^(A)  is  a  negligible 
function  of  A. 

The  assumption  is  formed  around  the  intuition  that  it  is  hard  to  test  for  Diffie-Hellman  tuples 
in  the  subgroup  Gp  if  the  elements  have  a  random  Gg  subgroup  component. 

Remark  4.3.1  Consider  bilinear  groups  of  order  n  =  pqr,  where  p,  q,  and  r  are  three  distinct 
primes.  In  the  above  generalized  composite  3 -party  Diffie-Hellman  assumption,  whether  to  call  a 
prime  p,  q,  or  r  is  merely  a  nominal  issue.  So  equivalently,  we  may  assume  that  it  is  hard  to  test  for 
Diffie-Hellman  tuples  in  the  subgroup  Gp,  if  each  element  is  multiplied  by  a  random  element  from 
Gr  instead  ofGq. 


4.4  dHVE  Construction 


We  construct  our  dHVE  scheme  by  extending  the  HVE  construction  by  Boneh  and  Waters  [  12|] 
(also  referred  to  as  the  BW06  scheme).  One  of  the  challenges  that  we  must  overcome  is  how  to 
add  delegation  in  anonymous  IBE  systems. 

Our  primary  challenges  arise  from  providing  delegation  in  the  anonymous  setting.  Delegation 
is  easier  in  non-anonymous  IBE  systems,  such  as  in  HIBE  0].  In  the  HIBE  construction  0],  the 
public  key  contains  an  element  corresponding  to  each  attribute,  and  the  delegation  algorithm  can 
use  these  elements  in  the  public  key  to  rerandomize  the  tokens.  In  anonymous  systems,  however,  as 
the  encryption  now  has  to  hide  the  attributes  as  well,  we  have  extra  constraints  on  what  information 
we  can  release  in  the  public  key.  This  restriction  on  rerandomizing  components  is  the  primary 
hurdle  we  must  overcome. 


4.4.1  Construction 

In  our  construction,  the  public  key  and  the  ciphertext  are  constructed  in  a  way  similar  to  the  BW06 
scheme.  However,  we  use  a  new  technique  to  reduce  the  number  of  group  elements  in  the  ciphertext 
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asymptotically  by  one  half.  Our  token  consists  of  two  parts,  a  decryption  key  part  denoted  DK  and 
a  delegation  component  denoted  DL.  The  decryption  key  part  DK  is  similar  to  that  in  the  BW06 
scheme.  The  delegation  component  DL  is  more  difficult  to  construct,  since  we  need  to  make 
sure  that  the  delegation  component  itself  does  not  leak  unintended  information  about  the  plaintext 
encrypted. 

We  will  use  £  =  Zm  for  some  integer  m.  Recall  that  £?>J_  :=  £  U  {?,  _L},  where  ?  denotes  a 
delegatable  field,  and  _L  denotes  a  “don’t  care”  field. 

Setup(  1A)  The  setup  algorithm  first  chooses  random  large  primes  p,q,r  >  m  and  creates  a  bilinear 
group  G  of  composite  order  n  =  pqr,  as  specified  in  Section  14.31  Next,  it  picks  random 
elements 


Oi,  hi), . . . ,  (ug,  hi)  G  Op  ,  g,v,w,w  G  Gp  ,  gq  G  Gq,  gr  G  Gr 

and  an  exponent  a  G  Zp.  It  keeps  all  these  as  the  secret  key  MSK. 

It  then  chooses  21  +  3  random  blinding  factors  in  Gq: 

(Ru, i,  Rh, i);  •  •  •  j  \Ru,ii  Rh  i)  G  Gq  and  Rv ,  RW}  Rw  G  Gq. 

For  the  public  key,  PK,  it  publishes  the  description  of  the  group  G  and  the  values 

(U i  c l  h(i  i .  h\Rh  i 

... 

Ug  =  ugRUtg,  Hg  =  hgRh}g 

The  message  space  M.  is  set  to  be  a  subset  of  Gt  of  size  less  than  n1//4. 

Encrypt  (PK,  X  G  £f,  Msg  G  M  C  Gr)  Assume  that  £  C  Zm.  Let  X  =  (xi, . . .  ,xg)  G  Z^. 

The  encryption  algorithm  first  chooses  a  random  p  G  Zn  and  random  Z,  Z() .  Zr<,.  Z\,  Z2. . . . ,  Zg  G 
Gq.  (The  algorithm  picks  random  elements  in  Gq  by  raising  gq  to  random  exponents  from 
Zn.)  Then,  the  encryption  algorithm  outputs  the  ciphertext: 


CT 


=  MsgAp,  C  =  VpZ,  C0  =  WpZ0, 


(  Ci  =  (U^HiYZi,  \ 

C2  =  (u?H2yz2, 


\  Cl  =  (u*eHfyzi  / 


Remark  4.4.1  We  note  that  the  ciphertext  size  is  cut  down  by  roughly  a  half  when  compared 
to  the  BW06  construction  / 12].  Therefore,  our  construction  immediately  implies  an  HVE 
scheme  with  asymptotically  half  the  ciphertext  size  as  the  origincd  BW06  construction. 

GenToken{ PK,  MSK,  a  G  £'?  )  The  token  generation  algorithm  will  take  as  input  the  master 
secret  key  MSK  and  an  Gtuple  o  =  (ay, . . . ,  of)  G  Ef?i.  The  token  for  o  consists  of  two 
parts:  (1)  a  decryption  key  component  denoted  DK,  and  (2)  a  delegation  component  denoted 
DL. 
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The  decryption  key  component  DK  is  composed  in  a  way  similar  to  that  of  the  original 
HVE  construction  ill 211.  Recall  that  5(a)  denotes  the  indices  of  the  fixed  fields,  i.e., 
indices  j  such  that  oy  E  E.  Randomly  select  7,7  e  and  t:)  E  7LV  for  all  j  E  5(a). 
Pick  random  Y.  Yq,  Y0  E  Gr  and  Yj  E  Gr  for  all  j  E  5(a).  Observe  that  picking 
random  elements  from  the  subgroup  Gr  can  be  done  by  raising  gr  to  random  exponents 
in  Zn.  Next,  output  the  following  decryption  key  component: 


DK  = 


K  =  gaw'ynPlljeS(*)(u7hj)tjYi  ^0  =  ^0,  K*  =  5%,  Vj  €  5(a)  : 


K,  =  v^Yi 


•  The  delegation  component  DL  is  constructed  as  below.  Recall  that  W(a)  denotes  the 
set  of  all  indices  i  where  a,  —  ?.  Randomly  select  YijU,  Yl  h  E  Gr.  For  each  i  E  W(a), 
for  each  j  E  5(a)  U  {/'},  randomly  select  .stj  E  Zp,  Y,  :i  E  Gr.  For  each  1  E  W(a), 
randomly  select  7^,7,  E  Zp,  Y))U,  Yii0,  ^,0  E  Gr.  Next,  output  the  following 
delegation  component  DL;;  for  coordinate  i: 


Mi  E  W(a)  :  DLj 


U,h  =  h^'w^Vp*  YljGS(a)(U?hj)Si’jYi,h ,  Li,u  = 
Lift  =  v^Yit0,  Li j  =  v~Yi^  Vj  G  5(a)  U  {?}  : 


„  6i,iV 

V'i  *i,u 

u  1  l. 


Remark  4.4.2  Later,  if  we  want  to  delegate  on  the  kth  field  by  fixing  it  to  L  E  E,  we  will 
multiply  Lf  v  to  Lk  h,  resulting  in  something  similar  to  the  decryption  key  DK  ( except  without 
the  ga  term).  Observe  that  the  Llh  terms  encode  all  the  fixed  fields  (i.e.,  5(a)).  This  effec¬ 
tively  restricts  the  use  of  the  delegation  components,  such  that  they  can  only  be  added  on 
top  of  the  fixed  fields,  partly  ensuring  that  the  delegation  components  do  not  leak  unintended 
information. 


Delegate( PK,  a,  a')  Given  a  token  for  a  E  ±,  the  Delegate  algorithm  computes  a  token  for 
a'  -<  a.  Without  loss  of  generality,  we  assume  that  o'  fixes  only  one  delegatable  field  of  a 
to  a  symbol  in  E  or  to  _L.  Clearly,  if  we  have  an  algorithm  to  perform  delegation  on  one 
field,  then  we  can  perform  delegation  on  multiple  fields.  This  can  be  achieved  by  fixing  the 
multiple  delegatable  fields  one  by  one. 

We  now  describe  how  to  compute  TKff/  from  TKCT.  Suppose  a'  fixes  the  kth  coordinate  of 
a.  We  consider  the  following  two  types  of  delegation:  1)  the  kth  coordinate  is  fixed  to  some 
value  in  the  alphabet  E,  and  2)  the  kth  coordinate  is  set  to  _!_,  i.e.,  it  becomes  a  “don’t  care” 
field. 


Type  1:  a'  fixes  the  kth  coordinate  of  a  to  X  E  E,  and  all  other  coordinates  of  a  remain  un¬ 
changed.  In  this  case,  S(a')  =  5(a)  U  {k},  and  W(a')  =  W(a)\{/c}.  (Recall  that 
5(a)  denotes  the  set  of  indices  j  where  a3  E  E,  and  W(a)  denotes  the  set  of  delegat¬ 
able  fields  of  a.) 


Step  1:  Fet  (DK,  DL)  denote  the  parent  token.  Pick  a  random  exponent  //  <E  Z„  and  reran¬ 
domize  the  delegation  component  DL  by  raising  every  element  in  DL  to  p.  Denote 
the  rerandomized  delegation  component: 


Mi  E  W(a)  :  DL, 


Ji,h 


=  77  Li,~  =  7«. 


ii,o  =  7o,  7*  =  77  Vj  6  S(a)  U  {i}  :  Ly  =  7i 
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Ill  addition,  compute  a  partial  decryption  key  component  with  the  kth  coordinate 
fixed  to  1: 

pDK  =  (t  =  L^uLkih,  T0  =  Lk, o,  T#  =  Lk^,  Vj  G  S(cr')  :  Tj  =  Lk^ 

The  partial  decryption  key  pDK  is  formed  similarly  to  the  decryption  key  DK, 
except  that  pDK  does  not  contain  the  term  ga. 

Step  2:  Compute  W(Y)  rerandomized  versions  of  the  above.  For  all  i  G  W(cr'),  ran¬ 
domly  select  Ti  G  Zn,  and  compute: 

pDK,:  =  (r*  =  Tn,  r =  r^  =  r;%  VjeS(o')-.  r ld  =  T?) 

Step  3:  Compute  the  decryption  key  component  DK'  of  the  child  token.  DK'  is  computed 
from  two  things:  1)  DK,  the  decryption  key  component  of  the  parent  token  and 
2)  pDK,  the  partial  decryption  key  computed  in  Step  1.  In  particular,  pDK  is  the 
partial  decryption  key  with  the  kth  field  fixed;  however,  as  pDK  does  not  contain 
the  ga  term,  we  need  to  multiply  appropriate  components  of  pDK  to  those  in  DK. 

To  compute  DK',  first,  randomly  select  Y',  Y0',  Y.'  G  Gr.  For  all  j  G  <S(er'),  ran¬ 
domly  select  Yj  G  Gr.  Now  output  the  following  DK': 

K'  =  KTY',  K>=K0T0Y':  K^  =  K^Y>,  K’k  =  TkY>, 
VjeS(a):  K'  =  KjTjY' 


Step  4:  Compute  the  delegation  component  DL'  of  the  child  token.  DL'  is  composed  of  a 
portion  DL'  for  each  i  G  W(cr').  Moreover,  each  DL'  is  computed  from  two  things: 
1)  DL*  as  computed  in  Step  1  and  2)  pDKj  as  computed  in  Step  2. 

Follow  the  steps  below  to  compute  DL'.  For  each  i  G  W(cr'),  randomly  select 
Ylh,  Y-  ul  Y[0,  YY  from  Gr.  For  each  i  G  W(cx'),  for  each  j  G  S(a)  U  {i,k}, 
pick  at  random  Y[  -  from  Gr.  Compute  the  delegation  component  DL'  of  the  child 
token: 


Vi  G  W(ff')  :  DL' 


/  T',h  =  LyFiYlh, 

T'ifl  = 


T'  —T  V' 

^ i,u  ~ 


\  LY  =  LMYT, 


L'-  u  =  Ti  kY! 


Ji,k 


i,ki 


Vj  G  S(a)  : 


T '  —TV  V' 

^ i  j  — 


h3 


Type  2:  In  Type  2  delegation,  er'  fixes  the  kth  coordinate  of  a  to  Y.  In  this  case,  S(c r')  =  S(c r), 
and  W(cr')  =  >V(cr)\{fc}.  The  child  token  is  formed  by  removing  the  part  D L k  from 
the  parent  token: 

TKff/  =  (DK,  DL\{DLfc}) 

Remark  4.4.3  It  is  not  hard  to  verify  that  delegated  tokens  have  the  correct  form,  except 
that  their  exponents  are  no  longer  distributed  independently  at  random,  but  are  correlated 
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with  the  parent  tokens.  In  the  proof  in  Section\4~6\  we  show  that  Type  1  delegated  tokens  “ap¬ 
pear”  (in  a  computational  sense)  as  if  they  were  generated  directly  by  calling  the  GenToken 
algorithm,  that  is,  with  exponents  completely  at  random.  This  constitutes  an  important  idea 
in  our  security  proof. 

Query  (PK,TKo-,  CT,  a')  A  token  for  a  e  T,e?  ±  allows  one  to  evaluate  a  set  of  functions  Co¬ 
defined  by  Equation  (14.11)  from  the  ciphertext.  Let  o'  -<  o  and  assume  o'  has  no  delegatable 
fields.  Then  o'  represents  a  single  function  (a  conjunctive  equality  test),  and  the  Query 
algorithm  allows  us  to  evaluate  fa>  over  the  ciphertext. 

To  evaluate  fa/  from  the  ciphertext  using  TKff,  first  call  the  Delegate  algorithm  to  compute  a 
decryption  key  for  o'.  Write  this  decryption  key  in  the  form  DK  =  (K.  K0,  K0,dj  e  S(cr')  :  Kf) 

Furthermore,  parse  the  ciphertext  as  CT  =  (c ,  C,  C0,  Cf,,  Vj  G  £  :  C^j . 

Use  the  same  algorithm  as  the  original  HVE  construction  to  perform  the  query.  First,  com¬ 
pute 

Msg  <—  C  ■  e(C,  K)~x  ■  e(C0,  K0)e(C^,  K^)  J]  e(CvK3)  (4.4) 

jeS(tr') 

If  Msg  ^  M.,  output  0,  indicating  that  fa>  is  not  satisfied.  Otherwise,  output  1,  indicating 
that  fai  is  satisfied  and  also  output  Msg.  We  explain  why  the  Query  algorithm  is  correct  in 
Sectionl4.51 

4.4.2  Security  of  our  construction 

Theorem  4.4.1  Assuming  that  the  Bilinear  Dijfie-Hellman  assumption  and  the  generalized  com¬ 
posite  3 -party  Diffie-Hellman  assumptions  hold  in  G,  then  the  above  dHVE  construction  is  selec¬ 
tively  secure. 

We  explain  the  main  techniques  used  in  the  proof;  however,  we  defer  the  detailed  proof  to 
Section  1331  In  our  main  construction,  delegated  tokens  have  certain  correlations  with  their  parent 
tokens.  As  a  result,  the  distribution  of  delegated  tokens  differs  from  tokens  generated  freshly  at 
random  by  calling  the  GenToken  algorithm.  A  major  technique  used  in  the  proof  is  “token  in- 
distinguishability  although  delegated  tokens  have  correlations  with  their  parent  tokens,  they  are 
in  fact  computationally  indistinguishable  from  tokens  freshly  generated  through  the  GenToken 
algorithm.  (Strictly  speaking,  Type  1  delegated  tokens  are  computationally  indistinguishable  from 
freshly  generated  tokens.)  This  greatly  simplifies  our  simulation,  since  now  the  simulator  can  pre¬ 
tend  that  all  Type  1  tokens  queried  by  the  adversary  are  freshly  generated,  without  having  to  worry 
about  their  correlation  with  parent  tokens.  Intuitively,  the  above  notion  of  token  indistinguishabil- 
ity  relies  on  the  C3DH  assumption:  if  we  use  a  random  hiding  factor  from  Gr  to  randomize  each 
term  in  the  token,  then  DDH  becomes  hard  for  the  subgroup  Gp. 

4.5  Correctness 

We  explain  why  the  Query  algorithm  is  correct.  Let  (Msg,  X )  denote  the  plaintext  encrypted,  and 
let  o’  denote  the  conjunctive  query  being  evaluated  in  the  Query  algorithm. 
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•  If  the  plaintext  X  satisfies  the  query,  i.e.,  if  fa'(X)  —  1,  a  simple  calculation  shows  that 
the  Query  algorithm  outputs  the  message  Msg.  The  calculation  relies  on  the  fact  that  if 
a  e  Gq  and  b  6  Gr,  then  e(a,  b )  =  1.  Observe  that  in  our  construction,  each  term  in  the 
ciphertext  (except  C)  contains  a  random  hiding  factor  from  the  subgroup  Gq,  and  each  term 
in  the  token  contains  a  random  hiding  factor  from  the  subgroup  Gr.  When  one  performs  a 
pairing  operation  on  the  ciphertext  and  the  token,  the  subgroups  Gq  and  Gr  “disappear”,  and 
the  result  of  the  pairing  is  an  element  of  G t,p- 


If  the  plaintext  X  does  not  satisfy  the  query,  i.e.,  if  fa'(X)  =  0,  due  to  an  argument  similar 
to  the  BW06  |12]  paper,  the  probability  Pr[Query((PK,  TKCT,  CT,  ex')  ^  0]  is  negligible.  See 
Lemma  5.2  of  BW06  for  details. 


4.6  Proof 

We  prove  the  security  of  our  construction.  We  prove  selective  security,  where  the  adversary  com¬ 
mits  to  two  strings  Xq  and  X{  at  the  beginning  of  the  security  game. 

The  challenge  in  proving  security  is  that  under  our  new  security  game,  the  simulation  needs  to 
reflect  how  tokens  are  delegated.  In  other  words,  delegated  tokens  are  correlated  with  their  parent 
tokens  in  some  way,  and  the  simulation  should  reflect  this  fact. 

Our  overall  strategy  is  for  the  simulator  to  generate  tokens  by  calling  the  original  GenToken 
algorithm  whenever  possible,  even  when  the  token  is  delegated.  More  specifically,  for  all  Type  1 
delegation  queries,  the  simulator  generates  a  freshly  randomized  token  by  calling  the  GenToken 
algorithm,  rather  than  the  Delegate  algorithm.  As  we  mentioned,  this  simulation  does  not  reflect 
the  real  security  game,  since  the  Type  1  delegated  tokens  are  no  longer  correlated  with  their  parent 
tokens.  However,  we  overcome  this  by  showing  that  the  simulation  is  computationally  indistin¬ 
guishable  from  the  real  security  game.  Intuitively,  the  indistinguishability  property  comes  from 
the  random  group  element  from  the  third  subgroup  Gr  that  we  use  to  rerandomize  the  tokens.  Our 
technique  is  novel  in  the  sense  that  in  proving  semantic  security  over  the  ciphertext,  we  actually 
rely  on  “semantic  security”  over  the  tokens. 

4.6.1  Sequence  of  games 

To  prove  security,  we  define  a  sequence  of  games,  Game0,  Game1; . . . ,  Game5. 

Game0.  Let  Game0  denote  the  real  selective  security  game  as  defined  in  Section  14.1.21 

Gamei.  We  first  modify  Game0  slightly  into  a  new  game  Gamei.  Gamei  is  almost  identical  to 
Game0,  except  in  the  way  the  tokens  are  generated.  In  Game, ,  whenever  the  adversary  issues  a 
“create  delegated  token”  query,  depending  on  which  type  of  delegation  query  it  is,  the  challenger 
performs  the  following: 

•  Type  1  :  The  challenger  calls  the  GenToken  algorithm  to  generate  a  fresh  token,  and  gives 
it  to  the  adversary. 
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•  Type  2:  The  challenger  generates  the  token  in  the  normal  way  by  calling  the  Delegate 
algorithm. 

Remark  4.6.1  The  difference  between  Game0  and  Game!  lies  in  the  fact  that  in  the  real  game 
Game0,  child  tokens  are  always  correlated  with  their  parent  tokens.  In  game  Game!,  a  Type  1 
delegated  token  is  no  longer  correlated  with  its  parent  token;  however,  Type  2  delegated  tokens  are 
still  correlated  with  their  parent  tokens. 

Intuitively,  if  we  use  the  Gr  subgroup  to  randomize  the  tokens,  no  polynomially  bounded  ad¬ 
versary  is  able  to  tell  Game0  apart  from  Gamei.  In  other  words,  the  advantage  of  the  adversary  in 
winning  Game0  is  almost  the  same  as  her  advantage  in  winning  Gamei.  Therefore,  it  suffices  to 
prove  security  using  Gamei  instead  of  Game0.  This  simplifies  the  proof,  since  in  Gamei,  Type  1 
delegated  tokens  are  formed  in  the  same  way  as  non-delegated  tokens. 

Lemma  4.6.1  Assuming  that  the  generalized  3-party  Diffie-Hellman  assumption  holds  in  G,  then 
no  polynomially  bounded  adversary  can  successfully  distinguish  Game0  and  Gamei  with  more  than 
negligible  advantage. 

Game2.  Next,  we  modify  Gamei  slightly  into  a  new  game  Game2.  Game2  differs  from  Gamei 
also  in  the  way  tokens  are  formed.  To  explain  how  Game2  differs  from  Gamei,  first  observe  that 
any  token  a  queried  must  satisfy  one  of  the  following  two  cases: 

•  Matching  tokens.  The  decryption  key  part  of  TKCT  matches  both  of  the  two  selected  points 
X(*  and  X*.  In  this  case,  for  all  i  £  W(V),  X((  i  =  Xft,  since  otherwise  TKa  would  separate 
the  two  selected  points.  In  this  case,  we  say  that  the  token  matches  both  selected  points. 

•  Non-matching  tokens.  The  decryption  key  part  of  TKCT  matches  neither  of  the  two  selected 
points  X*  and  Xf 

In  Game2,  in  any  Type  1  delegation  query,  if  the  token  requested  matches  both  of  the  selected 
points  X(j  and  X*,  the  challenger  picks  the  two  exponents  for  w  and  w  in  DK  not  independently 
at  random,  but  in  a  correlated  way:  At  the  beginning  of  the  security  game,  the  challenger  picks 
a  random  n  £  Zp,  and  keeps  it  secret  from  the  adversary.  Now  if  a  token  a  requested  in  a  Type 
1  delegation  query  matches  both  of  the  selected  points,  the  challenger  picks  7  =  ny  when  it 
computes  DK.  Similarly,  for  alH  £  W(cr),  when  the  challenger  computes  DL>,  it  picks  7,  =  717 
instead  of  picking  the  two  exponents  independently  at  random. 

Lemma  4.6.2  Assume  that  the  C3DH  assumption  holds  in  G,  Then  for  any  polynomial  time  ad¬ 
versary,  the  difference  of  advantage  in  winning  Gamei  and  Game2  is  negligible. 

Remark  4.6.2  In  Gamei,  all  tokens  (except  Type  2  tokens )  are  picked  independently  at  random. 
In  Game2,  this  is  no  longer  true,  in  the  sense  that  for  certain  queries,  the  exponents  of  w  and 
w  are  correlated  with  each  other.  Because  of  the  third  subgroup  Gr  that  we  use  to  rerandomize 
the  tokens,  we  will  show  that  this  correlation  is  computationally  hidden  from  the  adversary.  The 
motivation  for  introducing  Game2  is  that  later  the  simulator  will  need  to  exploit  this  correlation  in 
7  and  7  in  order  to  successfully  perform  a  simulation. 

Game3.  We  now  further  modify  Game2  into  Game3.  Game3  is  almost  identical  to  Game2  except  in 
the  challenge  ciphertext.  In  Game3,  if  Msg0  f  Msg , ,  the  first  term  C  in  the  challenge  ciphertext 
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is  replaced  by  a  random  element  from  Gt,  and  the  rest  of  the  ciphertext  is  generated  as  usual.  If 
Msg0  =  Msg ! ,  the  challenge  ciphertext  is  generated  correctly. 

Lemma  4.6.3  Assume  that  the  BDH  and  C3DH  assumptions  hold  in  G.  Then  no  polynomial  time 
adversary  can  successfully  distinguish  Game2  and  Game3  with  more  than  negligible  probability. 

Game4.  Next,  we  modify  Game3  into  a  new  game  Game4.  Game3  and  Game4  are  identical  except 
in  the  challenge  ciphertext.  In  Game4,  the  simulator  creates  the  challenge  ciphertext  according  to 
the  following  distribution: 


Co  =  Wpg^p'Z0,  CV  = 

where  p'  is  picked  at  random  from  Zp. 

Lemma  4.6.4  Assume  that  the  C3DH  assumption  holds  in  G,  Then  no  polynomial  time  adversary 
can  successfully  distinguish  games  Game3  and  Game4  with  more  than  negligible  probability. 

Game5.  Let  E  denote  the  set  of  indices  i  such  that  X(*Ll  f  X\%,  where  Xq  and  X*  are  the  two 
committed  points  in  the  selective  security  game.  We  now  define  a  new  game  Game5.  Games  differs 
from  Game4  in  that  for  all  i  e  E,  the  ciphertext  component  C,  is  replaced  by  a  random  element 
from  Gpq. 

Lemma  4.6.5  Assume  that  the  C3DH  assumption  holds  in  G,  Then  no  polynomial  time  adversary 
can  successfully  distinguish  Game4  and  Game5  with  more  than  negligible  probability. 

Notice  that  in  Games,  the  ciphertext  gives  no  information  about  the  point  X/  or  the  message 
Msg6  encrypted.  Therefore,  the  adversary  can  win  Games  with  probability  at  most  1/2. 

We  prove  the  above  lemmas.  First,  we  observe  that  from  Game0  to  Game2,  the  simulation 
changes  in  the  way  the  tokens  are  generated.  We  show  that  these  changes  remain  computationally 
hidden  from  any  poly-time  adversary. 

4.6.2  Indistinguishability  of  Game0  and  Gamei 

We  prove  Lemmal4.6.1land  show  that  games  Game0  and  Gamei  are  computationally  indistinguish¬ 
able.  To  do  this,  we  perform  a  hybrid  argument  on  the  number  of  Type  1  “Create  delegated  token” 
queries  issued  by  the  adversary,  henceforth  referred  to  as  Tl-delegation  query  for  short. 

Definition  4.6.6  Let  Gameo, o  :=  Gameo  denote  the  real  game.  Let  q  denote  the  number  of  Tl- 
delegation  queries  issued  by  the  adversary.  Define  a  sequence  of  hybrid  games  Gameo.,;  for  all 
1  <  i  <  q.  Gameo.,  differs  from  Game0  in  the  fact  that  when  the  adversary  issues  the  first  i 
Tl-delegation  queries,  instead  of  generating  the  delegated  tokens  faithfully  using  the  Delegate  al¬ 
gorithm,  the  challenger  calls  the  GenToken  algorithm  instead  to  generate  these  delegated  tokens. 
For  all  the  remaining  queries,  the  challenger  computes  tokens  and  responds  faithfully  as  in  the  real 
game  Gameo.  Under  the  above  definition,  Gameo. q  is  the  same  as  Gamei. 

Claim  4.6.7  For  all  0  <  d  <  q  —  1,  no  polynomials  bounded  adversary  can  distinguish  Gameo.,/ 
from  Game0,d+i  with  more  than  negligible  advantage. 
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If  we  can  prove  the  above  Claim  [TATI  then  Lc m m a  14.6. 1 1  toll o ws  by  the  hybrid  argument. 

We  focus  on  proving  Claim  |4~7T71  Intuitively,  Claim  133771 relies  on  the  following  observation. 
Pick  hi,  h2,  ■  •  • ,  hi  J--  Gp,  an  exponent  r  <---  Zp,  and  randomizing  factors  Yt ,  Y>,  . . .,  Yt,  Z\ ,  Z2, 
. . .,  Zi  Gr.  Now  the  tuple 


(hiZi, . . . ,  heZe,  h[Yi, . . . ,  hTfYt) 

is  computationally  indistinguishable  from 

(h\Zi, . . . ,  h^Zi,  R\, . . . ,  Re), 

where  ( R  , , . . . ,  Re)  are  picked  independently  at  random  from  Gpr  =  Gp  x  Gr.  It  is  not  hard 
to  see  that  this  is  the  equivalent  of  the  Decisional  Diffie-Hellman  (DDH)  assumption  for  bilinear 
groups  of  composite  order.  Since  we  can  compute  pairing  in  such  groups,  normally  DDH  is  easy 
in  group  G.  However,  if  we  use  subgroup  Gr  to  hide  subgroup  Gp,  DDH  becomes  hard  in  Gp.  For 
this  reason,  we  can  rerandomize  tokens  by  raising  all  elements  to  the  same  exponent  r,  and  the 
rerandomized  token  is  computationally  indistinguishable  from  a  completely  rerandomized  token. 

We  formalize  the  above  intuition  into  the  ^-composite  3-party  Diffie-Hellman  assumption  (£- 
C3DH).  Lemma  14.6.81  proves  that  the  GC3DH  assumption  is  implied  by  the  generalized  C3DH 
assumption.  Therefore,  we  are  not  introducing  a  new  assumption  here. 

Given  a  group  generator  GG,  define  the  following  distribution  P( A): 

o,  q,r,  G,  GT,e)  A  GG(A,  1),  n  <-  pqr, 
gp  <—  Gp,  gq  Gp,  gr  <—  Gr 
Yu  Y2,...,  Yh  Zu  Z2,...,Zt£-Gr 
hi,  h2, . . . ,  he  <—  Gp 
r  4  Zp 

X<-((n,G,Gr,e),  9v>  9qi  9r ,  h\Z\,  h2Z2,  ...,  heZe) 

Q  <-  ( h\Yi,  hT2Y2,  ...,  h^ Ye) 

Output  ( X ,  Q ) 

For  an  algorithm  A,  define  G’s  advantage  in  solving  the  above  problem: 


fC3DHAdvGGi^(A) 


Pr  [A(X,  Q)  -  r  -  Pr  [A(X,  R)  =  1] 


where  ( X ,  Q )  <—  P(A),  and 

R  =  (Ri,  P2, . . . ,  Re)  Gpr 

Lemma  4.6.8  (^composite  3-party  Diffie-Hellman)  Assume  that  the  generalized  composite  3- 
party  Diffie-Hellman  assumption  holds  in  G.  All  probabilistic  polynomial  time  adversaries  have 
negligible  advantage  in  solving  the  E-C3DH  problem. 
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Proof:  By  hybrid  argument. 


Proof  of  Claim  |3S3  Recall  that  in  game  Game0.j,  when  the  challenger  receives  the  first  d 
Tl-delegation  queries,  it  creates  a  completely  randomized  token.  We  show  that  no  polynomially 
bounded  adversary  has  more  than  negligible  advantage  in  distinguishing  Game0id  from  Game0id+i. 

We  use  the  following  sequence  of  games  to  prove  Claim  1476/71 
Gameo  d  In  Step  1  of  the  Delegate  algorithm,  for  the  d  +  1th  Tl-delegation  query,  instead  of  generating 
DL  =  [DLj]ieW(0.)  faithfully  by  raising  every  element  in  DL  to  a  random  exponent  /i,  the 
challenger  picks  DL  to  be  a  fresh  random  delegation  component.  We  show  that  a  polynomial 
time  adversary  cannot  distinguish  between  the  two  cases. 

Game"r/  In  Step  2,  instead  of  computing  each  pDK,  faithfully,  the  challenger  picks  them  as  fresh 
random  decryption  keys  (except  without  the  ga  term).  We  show  that  a  polynomial  time 
adversary  cannot  distinguish  between  these  two  cases. 

It  is  not  hard  to  see  that  if  DL  were  a  completely  rerandomized  delegation  component  for  a,  while 
each  pDK,  were  independently  rerandomized  decryption  keys  (except  without  the  ga  part),  then 
the  delegated  token  TK^/  would  be  a  truly  rerandomized  token,  as  if  it  were  generated  by  directly 
calling  the  GenToken  algorithm.  In  other  words,  Game" d  =  Gameo  rf+i.  We  show  below  that 
Game0  (i  is  indistinguishable  from  Garne^,  d  and  that  Game^  d  is  indistinguishable  from  Game^  d. 


Game,,  ,/  is  indistinguishable  from  Game'l  rf.  We  prove  the  above  Step  1,  i.e.,  Game^  d  is  compu¬ 
tationally  indistinguishable  from  Game0,d.  Suppose  a  polynomial  time  adversary  A  can  success¬ 
fully  distinguish  between  the  above  two  games.  Let  q0  denote  the  maximum  number  of  “create 
token”  and  “create  Type  1  delegated  token”  queries  made  by  the  adversary.  We  build  a  simulator  B 
that  leverages  A  to  break  the  following  ((£  +  1)(£  +  2)q0)-C3DH  assumption.  We  use  the  notation 
Vi,  j,  k  to  denote  Vi  G  [q0],  0  <  j  <  £,k  G  [£  +  2]. 

(p,q,r,  G,Gr,e)  A  GG(A,  1),  n  «-  pqr, 

R  -pi  R  -pi  R  -pi 

9p  *  ^pi  9q  *  ^pt  9r  *  '^3r r 

%  j  .  /o  .  j  k  5  z  j  k  ^  p  ^  V i  j  k  ^  p 

T^Zp 

X  *  ((?2,  G,  G71,  g),  .  Vij^k^i,j,k) 

Q  <—  (Vi,  j,  k  :  GjjYi.j.i) 

Then  the  challenger  randomly  decides  to  give  (A",  Q'  =  Q)  or  ( X ,  Q'  =  R),  where  Ii  is  a  random 
vector  drawn  from  (Gpr.)^+1^+2)qo. 

The  simulator  will  leverage  the  adversary  A  to  distinguish  between  the  above  two  cases. 

Init  and  Setup.  At  the  beginning  of  the  security  game,  the  adversary  commits  two  points  and 
X*. 
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The  simulator  picks  v  Gp,  and  for  1  <  i  <  £,  the  simulator  sets  //,;  =  vXt .  hi  =  vy\  where 
Xi  and  yi  are  random  exponents  from  Zn.  The  simulator  also  picks  w  =  vz  and  w  =  vz.  The 
remaining  public  parameters  and  secret  key  components  are  picked  normally  according  to 
the  Setup  algorithm. 

Query  1  and  2.  Recall  that  the  adversary  makes  a  number  of  queries  of  the  following  types:  1) 
create  token,  2)  create  delegated  token,  3)  reveal  token.  In  this  simulation,  the  simulator 
computes  and  saves  a  token  internally  whenever  a  “create  token”  or  “create  delegated  token” 
query  is  made.  The  simulator  simply  reveals  the  saved  token  whenever  the  adversary  makes 
a  “reveal  token”  query. 

Throughout  the  simulation,  whenever  the  adversary  asks  the  simulator  to  create  a  Type  2 
delegated  token,  the  simulator  generates  it  faithfully  by  deriving  it  from  its  parent  token. 
This  correctly  reflects  the  relation  between  the  child  token  and  the  parent  token. 

From  now  on,  we  focus  on  how  the  simulator  generates  Type  1  delegated  tokens  and  non- 
delegated  tokens. 

•  Before  the  adversary  issues  the  {d  +  l)th  Tl-delegation  query,  the  simulator  computes 
tokens  using  the  following  strategy.  Whenever  the  adversary  asks  the  simulator  to  cre¬ 
ate  a  Type  1  token  or  non-delegated  token,  the  simulator  incorporates  elements  from 
the  (£  +  1){£  +  2)q0-C3DH  instance  into  these  tokens,  in  a  way  such  that  all  the  expo¬ 
nents  are  distributed  uniformly  at  random.  In  particular,  let  i  (1  <  i  <  q0)  denote  the 
index  of  the  current  query.  We  note  that  i  is  a  counter  for  all  “create  delegated  token” 
or  “create  Type  1  delegated  token”  queries,  and  d  is  a  counter  for  all  “create  Type  1 
delegated  token”  queries.  The  simulator  lets 

Ao  =  Vito/+iZi,o,£+i,  A 0  =  t'i,o,r+2^i,o,£+2,  V/c  £  «S(er)  :  Kk  =  Vi,o,kZi,o,k 

For  all  j  £  VV’(cr),  the  simulator  lets 

Aj’,0  I  I  *  ^ij,£+2^i  j,£+2;  \/k  £  (S(/jj  U  {  ]  }  .  L j  fc 

As  the  simulator  knows  the  dlog  of  w,  W,  Ui, . . . ,  ut,  hi, . . . ,  h£  base  v,  the  remaining 
components  of  the  token  can  be  generated  efficiently: 


K  =  g 


where  Y 


Gr 


(4.5) 


Vj  £  W(cr) 


Lj,h  =  A  ■ 


Vj  T  z  T  Z 

Xq 


nr  Xk°k+yk\  v 

keS{(7)  ^ j,k  J  Xj,h 


T  —  T  *3  Y 

^ J,u  j,j  3,u 


where  Yj}h,  YhU 


(4.6) 


•  The  adversary  makes  the  (d  +  l)th  Tl-delegation  query.  In  particular,  the  adversary 
specifies  a  parent  token,  and  asks  to  fix  a  delegatable  field  to  some  value  I  £  E. 
Assume  the  parent  token  was  created  in  the  ?’th  query,  1  <  i  <  q() .  When  performing 
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Step  1  of  the  Delegate  algorithm,  for  all  j  e  W(cr),  the  simulator  lets 

Lj,o  =  Qi,j/+n  Ljrf  =  Qiji£+2,  V/c  €  S(a)  U  {j}  .  Lj ^  =  Qij^ 

Here  we  use  the  notation  Q\^)k  to  index  into  the  vector  O'  from  the  {{1  +  1)(£  +  2)q0)- 
C3DH  problem.  As  the  simulator  knows  the  dlog  of  w,  W,  u\, . . . ,  ug,  hi, . . . ,  he  base 
v,  the  remaining  components  of  the  token  can  be  generated  efficiently  due  to  Equations 
(14.51)  and  (14.61). 

•  For  all  the  remaining  queries,  the  simulator  responds  faithfully  as  in  the  real  game. 

Clearly,  if  Q'  —  Q  in  the  {{£  +  1){£  +  2)q0)-C3DH  instance,  then  the  above  simulation  is 
identically  distributed  as  Game0  d.  Otherwise,  the  above  simulation  is  identically  distributed 
as  Game^. 

Challenge.  The  simulator  generates  the  challenge  ciphertext  as  normal. 

Guess.  If  the  adversary  has  e  difference  in  its  advantage  in  Gameo, <z  and  Gamef,  d,  it  is  not  hard  to 
see  that  the  simulator  has  a  comparable  advantage  in  solving  the  C3DH  instance. 

Gameo d  is  indistinguishable  from  Game"r/.  Similarly,  we  can  show  that  Step  2  above  is  also 
true,  i.e.,  no  polynomial  time  adversary  can  distinguish  between  Game[l  r/  and  Gameo  d  with  non- 
negligible  probability.  To  prove  this,  we  further  define  a  sequence  of  hybrid  games.  Suppose  that 
in  Gameg  dc  where  0  <  c  <  VV(cr'),  the  first  c  pDK(’s  are  replaced  by  independent  random  de¬ 
cryption  keys  (without  the  ga  part).  We  show  that  a  polynomial  time  adversary  cannot  distinguish 
between  Gameo  d  and  Game^  dc+1.  Then,  by  the  hybrid  argument,  Gamely  and  Game"r/  (which 
is  identically  distributed  as  Game0.,/+i)  are  computationally  indistinguishable. 

The  simulator  tries  to  solve  the  following  AC3DH  instance: 

(p,q,r,  G,GT,e)  A  GG(A,  1),  n  <-  pqr, 

Ft  R  sr-1 )  R  ) 

9p  *  )  9q  *  '*J*P’>  9r  * 

Yu  Y2,  ...,Ye,  Zu  Z2,...,ZeA  Gr 
Vi,  Vi-,  ■  ■  ■ ,  ve  <—  Gp 
r  AZP 

X  <—  ((n,  G,  Gr,  e),  9P,  9q,  9r ,  ViZi,  v2Z2,  ...,  v^Zf) 

Q  <-  (vlYu  v^Y2,  . . . ,  vJYe) 

The  simulator  tries  to  distinguish  between  (. X ,  Q’  =  Q)  and  (X,  Q’  =  R ),  where  R  is  a  random 
vector  from  Gpr.  The  simulator  leverages  an  adversary  A  who  can  distinguish  between  Game^ 
and  Gameo>d|C+1. 

Init  and  Setup.  At  the  beginning  of  the  game,  the  simulator  sets  up  public  parameters  and  a  secret 
key  by  choosing  v  Gp.  For  1  <  i  <  £,  the  simulator  sets  in  =  vx\  hi  =  vVi,  where  Xi 
and  yi  are  random  exponents  from  Z„.  The  simulator  also  picks  w  =  vz  and  w  =  vz.  The 
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remaining  public  parameters  and  secret  key  components  are  picked  normally  according  to 
the  Setup  algorithm. 

Query  1  and  2.  The  adversary  issues  a  number  of  queries  to  the  simulator.  Like  before,  the 
simulator  internally  computes  and  saves  a  token  whenever  it  receives  a  “create  token”  or 
“create  delegated  token”  query.  The  simulator  simply  reveals  to  the  adversary  the  previously 
computed  token  in  a  “reveal  token”  query. 

The  simulator  treats  Type  2  tokens  as  a  special  case.  Whenever  the  adversary  asks  the  sim¬ 
ulator  to  create  a  Type  2  token,  the  simulator  computes  it  faithfully  by  deriving  the  token 
from  the  specified  parent.  This  correctly  reflects  the  relation  between  the  child  token  and  its 
parent.  Henceforth,  we  focus  on  how  the  simulator  computes  Type  1  delegated  tokens  and 
non-delegated  tokens. 

•  Before  the  adversary  makes  the  (d  +  l)th  Tl-delegation  query,  the  simulator  always 
computes  each  Type  1  delegated  token  and  non-delegated  token  freshly  at  random. 

•  At  the  (d+ l)th  Tl-delegation  query,  the  adversary  specifies  a  parent  token,  and  requests 
to  fix  the  kth  coordinate  to  some  value  1  G  £.  To  answer  this  query,  the  simulator  first 
generates  DL,  for  all  i  G  W(cr),  and  pDK.  Fori  G  W(aj\ {/::}.  the  simulator  picks  at 
random  Li  0l  and  LhJ  for  all  j  G  S(a )  U  {i}.  The  simulator  lets 

T0  =  Lkfi  =  V£+iZi+1,  Tj,  =  Lk^  =  V£+2Zg+2,  Vj  G  <S(cr )  :  Tj  =  Lkj  =  VjZj 

As  the  simulator  knows  the  dlog  of  w,  w,Ui, . . . ,  ug,  hi, . . .  ,hg  base  v,  the  remaining 
components  of  DLjs  and  pDK  can  be  generated  efficiently  in  a  way  similar  to  Equations 
(TO)  and  (1431).  The  only  difference  is  that  pDK  does  not  contain  the  ga  term,  while  a 
decryption  key  DK  does. 

The  simulator  picks  the  first  c  pDKjs  as  fresh  random  (partial)  decryption  keys. 

Let  i  be  the  c  +  1th  index  in  W(a').  For  pDK,,  the  simulator  sets 

r\0  =  Q'e+n  r ^  =  Q'i+2  Vj  g  s(a)  ■.  r itj  =  q'- 

We  use  the  notation  Qt  to  index  into  the  jth  element  of  the  vector  O'  from  the  (-C3DH 
problem.  Again,  since  the  simulator  knows  the  dlog  ofw,w,ui,...,U£,hi,...,hi  base 
v,  the  remaining  terms  in  pDK(  can  be  generated  efficiently. 

For  all  the  remaining  pDK/s,  the  simulator  generates  them  normally  as  in  the  original 
Delegate  algorithm. 

•  For  all  the  remaining  queries,  the  simulator  generates  them  faithfully. 

Challenge.  The  simulator  generates  the  challenge  ciphertext  as  normal. 

Guess.  Notice  that  if  Q'  —  Q  in  the  (-C3DH  problem,  then  the  above  simulation  is  identi¬ 
cally  distributed  as  Game0  (i  c;  otherwise,  the  above  simulation  is  identically  distributed  as 
Game0jdjC+i.  Therefore,  if  a  polynomial  time  adversary  could  successfully  distinguish  be¬ 
tween  Gameodc  and  Game0jrfjC+1,  then  the  simulator  would  be  able  to  solve  the  AC3DH 
problem  with  non-negligible  probability. 
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4.6.3  Indistinguishability  of  Game!  and  Game2 


We  prove  LemmaPI.6.21 

Let  q  denote  the  maximum  number  of  T1 -delegation  queries  for  a  matching  token  made  by  the 
adversary.  We  show  that  if  a  poly-time  adversary  has  non-negligible  difference  in  its  advantage  in 
Gamei  and  Game2,  we  can  build  a  simulator  that  leverages  this  adversary  to  break  the  modified 
q {i  +  1)-C3DH  assumption.  In  the  following,  we  use  Vi,  j  to  mean  Vi  G  [q],  0  <  j  <  i. 

(p,  q,  r,  G,  GT,  e)  GG(A,  1),  n^pqr, 

R  ^  R  ,p  R 

Qp  ■<  wjtp  5  Qq  4  Qr  * 

Vi,i  :  ~  Gr 

vi,v2  Gp 
Vi,  j  :  TijAZp 
Q  {V1  3Yi,j,  1,  V2,3Yijt2) 


The  modified  q(£  +  1)-C3DH  assumption  says  that  given  randomly  (Q'  =  Q)  or  (Q'  =  i?) 
where  R  is  a  random  vector  of  length  q  (£  +  1 )  from  Gpr,  a  poly-time  adversary  cannot  distinguish 
whether  Q'  =  Q  or  Q'  =  R.  The  modified  q(£+l)-C3DH  assumption  follows  from  the  generalized 
C3DH  assumption  by  the  hybrid  argument.  Hence,  we  are  not  introducing  a  new  assumption  here. 

Suppose  the  simulator  is  randomly  given  (Q'  =  Q )  or  {()'  =  R)  where  R  is  a  random  vector 
of  length  q(f?  +  1)  from  Gpr.  Now  the  simulator  tries  to  distinguish  between  the  two  cases. 

The  simulator  first  generates  public  and  secret  keys.  The  simulator  picks  v  G  Gp  at  random. 
For  1  <  i  <  £,  the  simulator  sets  u,  =  vXi ,  //.,  =  vVi ,  where  xt  and  y,  are  random  exponents  from 
Zn.  The  simulator  also  picks  w  =  vz  and  w  =  vz,  where  z  and  V  are  also  random  exponents  from 
7Ln.  The  simulator  proceeds  and  generates  the  rest  of  public  and  secret  keys  as  normal. 

We  explain  how  the  simulator  answers  the  adversary’s  queries.  When  the  adversary  makes  the 
ith  Tl-delegation  query  for  a  matching  token,  the  simulator  computes  a  token  by  letting  K0  =  Q\  0  , 
and  I\0  =  Q'i  0  2.  This  fixes  the  exponents  7  and  7,  although  the  simulator  does  not  know  what  7 
and  7  really  are.  The  simulator  picks  the  remaining  parameters  needed  as  normal,  and  computes 
the  decryption  key  part  DK.  Notice  that  even  though  the  simulator  does  not  know  7  or  7,  DK  can 
be  efficiently  computed,  since  the  simulator  knows  the  dlog  of  w,ui  base  v. 

Similarly,  for  delegation  component  DL,  where  j  G  W(cr),  the  simulator  lets  Lit0  =  Q\  j  v 
Li,d>  =  Qi,j,2>  picks  the  remaining  parameters  needed  as  normal,  and  computes  DLp.  By  the  same 
reasoning,  even  though  the  simulator  does  not  know  7 or  7-,  DL^  can  be  efficiently  computed 
since  the  simulator  knows  the  dlog  of  w,  w  base  v. 

We  observe  that  if  Q'  =  Q,  then  the  above  simulation  would  be  identically  distributed  as 
Game2.  Otherwise,  if  Q'  =  R,  the  above  simulation  would  be  identically  distributed  as  Gamei. 
Therefore,  if  a  poly-time  adversary  has  non-negligible  difference  in  its  advantage  in  distinguishing 
Gamei  and  Game2,  the  simulator  would  be  able  to  break  the  modified  q (l  +  1)-C3DH  assumption. 
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Until  now,  we  have  shown  that  the  simulator  can  change  the  way  tokens  are  computed  such  that 
these  changes  remain  computationally  hidden  from  the  adversary.  Now  we  show  that  if  the  sim¬ 
ulator  changes  certain  parts  of  the  ciphertext  to  random,  a  poly-time  adversary  cannot  distinguish 
with  more  than  negligible  advantage. 

In  all  the  simulations  described  below,  the  simulator  will  compute  tokens  only  when  a  “reveal 
token”  query  is  made.  When  the  adversary  makes  a  “create  token”  or  “create  delegated  token” 
query,  the  simulator  simply  records  that  query  without  computing  the  actual  token  created.  In 
particular,  in  some  of  these  simulations,  the  simulator  is  not  able  to  compute  all  tokens.  However, 
the  simulator  is  always  able  to  compute  a  token  in  a  “reveal  token”  query.  Recall  that  a  token  a 
represents  a  set  of  conjunctive  queries  over  the  point  X  encrypted.  Any  token  a  requested  in  a 
“reveal  token”  query  must  satisfy  the  condition  that  for  any  function  /  €  Ca  (/  is  a  conjunctive 
query  on  X  e  Zjn),  f(X(f)  =  f(X*).  Henceforth,  we  use  the  terminology  a  does  not  separate 
the  two  selected  points  X$  and  X*  to  describe  the  above  condition.  In  all  the  simulations  below, 
the  simulator  is  always  able  to  compute  a  token  o,  as  long  as  o  does  not  separate  the  two  selected 
points. 

In  the  simulations  described  below  that  change  certain  parts  of  the  ciphertext,  an  adversary  can 
ask  the  simulator  to  reveal  a  token  of  the  following  types:  1)  non-delegated,  2)  Type  1  delegated,  3) 
Type  2  delegated.  Clearly,  non-delegated  tokens  are  distributed  independently  from  other  tokens. 
Due  to  Lemmal4.6.1l  Type  1  tokens  appear  to  be  uncorrelated  with  their  parent  tokens.  Therefore, 
the  simulator  always  computes  non-delegated  and  Type  1  tokens  freshly  at  random.  By  contrast, 
Type  2  tokens  are  correlated  with  their  ancestor  tokens,  and  thus  require  special  treatment.  The 
simulator  must  construct  Type  2  tokens  such  that  they  reflect  the  correct  relationship  with  their 
ancestors.  Before  explaining  how  the  simulations  are  performed,  we  describe  a  general  strategy  the 
simulator  uses  to  generate  Type  2  delegated  tokens,  since  they  require  special  treatment  different 
from  that  for  non-delegated  tokens  and  Type  1  delegated  tokens. 

4.6.4  Generating  Type  2  delegated  tokens 

The  simulator  uses  a  “book-keeping”  technique.  We  use  the  notation  TK CT/  -<2  TKCT  to  mean  that 
TKff,  is  derived  from  TKCT  through  a  Type  2  delegation  operation.  Whenever  the  adversary  asks 
the  simulator  to  reveal  a  Type  2  delegated  token,  instead  of  computing  a  fresh  token,  the  simulator 
examines  the  history  of  queries,  and  finds  the  sequence  of  Type  2  delegation  queries  that  created 
this  token, 

TKct k  —<2  TKCTfc  l  -<2  ■  ■  ■  -<2  TK ai 

where  TKCTfc  :=  TKCT  is  the  currently  requested  token,  and  TKcri  is  a  non-delegated  token  or  a 
Type  1  delegated  token.  We  note  that  the  simulator  might  not  be  able  to  compute  all  these  tokens. 
However,  the  simulator  can  compute  a  token  if  the  token  does  not  separate  the  two  selected  points 
X*  and  X*. 

If  a  token  TKCT.  (1  <  i  <  k)  in  the  above  sequence  has  been  computed  by  the  simulator  in  the 
past,  the  simulator  simply  derives  TKff  from  TKCTi  using  the  Delegate  algorithm,  and  returns  it  to 
the  adversary.  In  particular,  cr  fixes  some  delegatable  coordinates  of  oy  to  _L,  and  the  simulator 
simply  removes  the  corresponding  delegation  components  from  TKCTj.  to  form  TKa.  Otherwise,  if 
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no  token  in  the  above  sequence  has  been  computed  by  the  simulator  in  the  history,  the  simulator 
finds  the  earliest  ancestor  TKCTi  (1  <  i  <  k)  in  the  above  sequence,  such  that  TKCT.  does  not  separate 
the  two  selected  points  Xq  and  X*.  The  simulator  generates  TKCTi  freshly  at  random,  and  then  it 
follows  the  Delegate  algorithm  to  generate  TKCT  from  TKCTi  (by  removing  the  fields  set  to  _L  from 
the  delegation  components). 


We  now  describe  a  sequence  of  simulations  that  replace  ciphertext  components  by  random  group 
elements.  In  these  simulations,  we  focus  on  how  the  simulator  can  compute  non-delegated  and 
Type  1  tokens.  Type  2  tokens  are  always  treated  as  a  special  case  using  the  algorithm  described 
earlier  in  this  section. 


4.6.5  Indistinguishability  of  Game2  and  Game3 


In  Game3,  if  Msg0  ^  Msg , ,  the  challenger  replaces  the  ciphertext  component  C  by  a  random 
group  element  from  G-r- 

The  proof  that  Game2  and  Game3  are  indistinguishable  to  a  poly-time  adversary  is  similar  to 
that  in  the  original  BW06  paper  111  211. 

We  prove  this  in  two  steps: 

•  Game):  IfMsg0  ^  Msgx,  the  challenger  replaces  the  ciphertext  component  C  by  a  random 
group  element  from  G t,p-  No  poly-time  adversary  can  distinguish  Game)  from  Game2  with 
more  than  negligible  probability. 


•  Because  of  the  subgroup  decision  assumption  (implied  by  the  C3DH  assumption),  if  the 
simulator  replaces  the  ciphertext  component  C  by  a  random  group  element  from  G t  instead 
of  G t,p,  the  adversary  cannot  distinguish  this  case  from  Game). 

We  first  prove  that  Game2  is  computationally  indistinguishable  from  Game).  Suppose  the  sim¬ 
ulator  tries  to  solve  the  following  BDH  instance: 


(p,q,r,  G,  GT,e)  A  GG(A),  n  <—  pqr,  gp  A  Gp,  gq  Gq,  gr  Gr 
a,b,c  <?-  Z n 

Z  <- ((n,G,GT,e),  gp,  gq,  gr,  gp,  gp,  gp) 

Q  e{gp:  gp)abc 


The  simulator  is  randomly  given  (Z,  Q'  =  Q)  or  (2,  Q'  =  R)  where  R  is  a  random  element  in 
G t,  and  it  tries  to  distinguish  between  these  two  cases. 

If  there  exists  a  poly-time  adversary  A  that  has  non-negligible  difference  in  its  advantage  in 
Game2  and  Game3,  we  can  build  the  following  simulation  to  solve  the  BDH  instance. 


Init.  The  adversary  commits  to  two  selected  points  X)  and  X).  The  challenger  picks  a  random 
coin  (3  internally. 
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Setup.  The  simulator  chooses  random  (Ru> i,  Rh,i),  {Ru, 2,  Rh, 2),  •  •  • ,  ( Ru /,  Rh,e)  G  Rw, 

e  G(/,  and  random  z{,  y\. ,  tf,  yt  e  Zn,  and  x.  x  e  Zn.  The  simulator  publishes  the  group 
description  gq,gr,  V  =  gpRv.  It  lets  A  —  e(#“,  <?£)  and  creates 

Ui  =  (gbp)ZiRu,i,  Ht  =  (gbp)-ZiXhgy;RKi 

Finally,  the  simulator  creates: 

W  =  gx,  W  =  gx 

We  observe  that  the  parameters  are  distributed  identically  to  the  real  scheme. 

Query  1.  The  simulator  does  not  compute  any  token  when  the  adversary  makes  “create  token”  or 
“create  delegated  token”  queries.  It  computes  tokens  only  when  “reveal  token”  queries  are  made. 

Recall  that  in  Section  14.6.41  we  pointed  out  that  Type  2  tokens  require  special  treatment.  In 
addition,  we  gave  an  algorithm  for  the  simulator  to  generate  Type  2  tokens  such  that  they  reflect  the 
correct  relationship  with  their  parent  tokens.  Now  it  suffices  to  show  that  the  simulator  can  always 
compute  a  fresh  random  token,  so  long  as  the  token  does  not  separate  the  two  selected  points  X(* 
and  X*. 

Whenever  the  adversary  makes  a  “reveal  token”  query  for  a  matching  token,  the  simulator 
simply  aborts  and  takes  a  random  guess.  The  reason  is  that  by  our  definition,  when  the  adversary 
asks  the  simulator  to  reveal  a  matching  token,  the  challenge  messages  Msg0  and  Msg1  must  be 
equal.  However,  in  this  case,  Game2  and  Games  are  identical,  so  there  can  be  no  difference  in  the 
adversary’s  advantage  in  between  these  two  games. 

Whenever  the  adversary  asks  the  simulator  to  reveal  a  non-matching  token,  the  simulator  needs 
to  compute  a  token  of  the  correct  form.  First,  notice  that  the  delegation  components  DL  can  be 
efficiently  computed,  since  they  do  not  contain  any  unknown  parameters.  However,  computing 
the  decryption  key  component  DK  is  slightly  more  tricky.  Recall  that  because  of  the  way  the 
public  key  is  formed,  ga  =  gpb.  Therefore,  the  decryption  key  component  DK  contains  the  term 
gpb.  Unfortunately,  the  simulator  does  not  know  gpb,  so  it  has  to  find  some  way  to  cancel  out 
that  term  and  still  form  a  correctly  distributed  token.  The  intuition  is  that  since  the  token  is  non¬ 
matching,  there  exists  a  dimension  i  where  <7i  and  X* t  ^  a,.  We  observe  that  the  term 

u^hi  =  ( gb)AiZig ft  contains  (gb)AiZi,  where  A*  =  —  X^A  ^  0.  Therefore,  the  simulator  can 

pick  ti  at  random  from  Zn,  and  let 

ti=%-  a/(AiZi) 

without  actually  computing  it.  And  this  ti  is  used  to  generate  the  decryption  key  component  DK. 
If  the  simulator  picks  ti  in  the  way  specified  above,  it  is  able  to  compute  DK,  since  all  terms 
containing  the  unknown  parameter  gpb  cancel  out.  In  particular,  in  the  decryption  key  DK,  K  is  a 
product  of  several  terms.  Rewrite  K: 

K  =  gfw~<vR  J]  (uyh,),:Y 

j£S(c r) 

tfW'hif)  ■  ( ^  II  Xhi)‘‘Y 

'  \  jeS(a),j& 
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The  product  term 


gfW'htf  =  (uf'fcO8  ■  «)"’“/<a‘") 


can  be  efficiently  computed,  since  all  terms  involving  g pb  cancel  out.  It  is  not  hard  to  see  that 
the  remaining  terms  in  K  can  be  efficiently  generated,  since  the  simulator  knows  all  parameters 
needed.  As  the  simulator  knows  gp,  the  term  K,  =  vu  can  be  efficiently  computed. 


Challenge.  The  adversary  gives  the  simulator  two  messages,  Msg0  and  Msg , .  If  Msg0  = 
Msgx,  the  simulator  aborts  and  takes  a  random  guess  for  the  reason  stated  above. 

Otherwise,  the  simulator  chooses  random  Z.  Z{),  ZlD.  Z\.  Z2- . . . ,  Z2  E  Gq,  and  outputs  the  fol¬ 
lowing  challenge  ciphertext: 

C  =  MsgeO',  C  =  (dp)Z,  C„  =  ($*Z0,  C*  =  ($%,  v*  6  M  :  Ci  =  (<,“)»•  Z. 

Query  2.  Same  as  phase  Query  1. 


Guess.  The  adversary  outputs  a  guess  f3'.  If  (3  —  j3',  the  simulator  guesses  that  Q'  =  Q.  Other¬ 
wise,  the  simulator  guesses  that  Q'  =  R.  We  observe  that  if  Q'  =  Q,  the  ciphertext  component  C 
is  a  faithful  encryption  of  Msg^;  otherwise,  C  is  distributed  at  random  in  G t,p-  Therefore,  if  the 
adversary  has  e  advantage  in  guessing  f3,  the  simulator  also  has  e  advantage  in  solving  the  BDH 
instance. 

To  show  that  Game^  is  computationally  indistinguishable  from  Game3,  we  rely  on  the  Bilin¬ 
ear  Subgroup  Decision  (BSD)  assumption  introduced  by  Boneh,  Sahai  and  Waters  G3.  Bilinear 
Subgroup  Decision  assumption  is  implied  by  the  generalized  composite  3-party  Diffie-Hellman 
assumption. 

The  simulator  gets  the  following  BSD  instance: 

(p,q,r,G,  GT,e)  A  GG(A),  n  «-  pqr,  gp  Gp,  gq  £-  Gq,  gr  Gr 
Z  ((n,  G,  GT,e),  gp,  gq,  gr) 

Q  <—  G  t,p 

The  simulator  is  also  randomly  given  Q'  =  Q  or  Q'  =  R  where  R  <—  G t  ■  The  BSD  assumption 
posits  that  no  poly-time  algorithm  can  distinguish  between  the  above  two  cases  with  more  than 
negligible  advantage. 

The  simulation  proceeds  as  follows. 


Init.  The  attacker  gives  the  simulator  two  identities  Xq,  X*.  The  challenger  then  flips  the  coin  (3 
internally. 


Setup.  The  simulator  sets  up  the  parameters  as  would  the  real  setup  algorithm.  All  the  simulator 
needs  to  do  this  is  gp,  gq.  gr  from  the  assumption. 


73 


Query  1.  The  simulator  answers  queries  as  the  real  authority  would.  One  small  difference  is  that 
the  simulator  chooses  exponents  from  Zn  instead  of  Zp.  However,  this  does  not  change  anything 
since  the  both  the  simulator  and  a  real  authority  will  raise  the  elements  from  Gp  to  the  exponents. 


Challenge.  The  adversary  first  gives  the  simulator  messages  Msg0,  Msgx.  If  Msg0  =  Msg1 
then  the  simulator  simply  encrypts  the  message  to  the  point  Xp.  Otherwise,  the  simulator  creates 
the  challenge  ciphertext  of  message  Msg^  to  Xp  as  normal  with  the  exception  that  C"  is  multiplied 
by  Q'. 

If  Q'  =  Q,  then  the  simulator  is  playing  Game^;  otherwise  it  is  playing  Game3. 


Query  2.  Same  as  Query  Phase  1 . 


Guess.  The  adversary  outputs  a  guess  (3' .  If  j3  =  (3',  the  simulator  guesses  that  Q'  =  Q ;  otherwise 
it  guesses  that  Q'  =  R.  By  our  assumption  the  probability  that  the  adversary  guesses  [3  correctly  in 
Game',  has  a  non-negligible  e  difference  from  that  of  it  guessing  it  correctly  in  Game3.  However,  it 
is  in  Game3  if  and  only  if  the  challenger  gave  the  simulator  Q'  =  R  instead  of  O'  =  0.  Therefore, 
the  simulator  has  advantage  e  in  the  Bilinear  Subgroup  Decision  game,  implying  that  the  simulator 
has  an  advantage  of  e  in  the  Composite  3-Party  Diffie-Hellman  game. 


4.6.6  Indistinguishability  of  Game3  and  Game4 

If  a  polynomial  time  adversary  A  has  non-negligible  difference  e  between  its  advantage  in  Game3 
and  Game4,  we  can  build  a  simulator  B  that  breaks  the  C3DH  assumption  with  probability  e. 

The  challenger  first  creates  a  3-Party  challenge: 

(p,q,r,  G,GT,e)  GG(A),  n  <-  pq,  gp  4-  Gp,  gq  A  gr  £-  Gr 

R1,R2,R3  <—  G9 

a,b,c 

Z  <-  ((n,  G,  Gt,  e),  gp,  gq,  gr,  g«,  g£,  T  =  gf  ■  Ru  Y  —  g“bc  ■  R2) 

Q  ^  gP-  R  3 

It  then  randomly  decides  whether  to  give  (Z.  O'  =  0)  or  (Z.  O'  =  R)  where  R  is  a  random 
element  in  Gpq. 

We  create  the  following  simulation: 


Init.  The  adversary  commits  to  two  points  X(]  and  X*.  The  simulator  flips  a  random  coin  (3 
internally. 
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Setup.  The  simulator  picks  V  =  gpRv,  where  Rv  is  picked  at  random  from  Gq.  The  simulator 
also  picks  from  7Ln  random  exponents  y,  x,  x,  ft, ■  7:  for  each  i  G  \£\,  and  lets 


W  =  gyp  ■  Tx,  W  =  TX 


The  simulator  creates: 


where  Ru;i  and  Rh/ s  are  random  group  elements  from  Gq.  The  simulator  also  chooses  a  random 

a  G  Zn,  and  computes  A  =  e(gp ,  V)a. 

Query  1.  Recall  that  each  query  a  defines  a  set  of  conjunctive  queries  CG  on  the  encrypted  point 


X.  Whenever  the  adversary  asks  the  simulator  to  reveal  a  token  for  a,  a  must  satisfy  the  condition 


that  for  any  function  /  G  Ca  (/  is  a  conjunctive  query  on  X  G  Z/j,  /(^o)  =  /(^i )•  Henceforth, 
we  use  the  terminology  a  does  not  separate  the  two  selected  points  and  X{  to  denote  the  above 
condition. 


We  now  describe  how  the  simulator  responds  to  the  adversary’s  “reveal  token”  queries.  The 


token  can  be  non-delegated,  Type  1  delegated,  or  Type  2  delegated.  Type  1  delegated  tokens  and 
non-delegated  tokens  should  be  generated  freshly  at  random,  while  Type  2  tokens  should  reflect 


the  correct  relation  with  their  parent  tokens.  In  Sectionl4.6.41  we  gave  an  algorithm  for  generating 
Type  2  tokens.  Hence,  it  suffices  to  show  how  the  simulator  can  compute  fresh  random  tokens. 


•  If  the  token  matches  both  selected  points,  the  simulator  first  picks  a  random  r  from  Zn,  and 
lets  7  =  —  xr,  and  7  =  xr.  Similarly,  the  simulator  picks  a  random  7  G  7Ln  for  each 
i  G  W(cr),  and  lets  =  — xTi ,  and  =  xTi.  Except  for  the  above,  the  simulator  follows 
the  GenToken  algorithm  and  computes  the  token.  Notice  that  the  token  can  be  computed 
efficiently,  since  the  only  unknown  term  involving  gpb  cancels  out  because  of  the  way  the 
simulator  chose  7, 7,  and  the  way  the  simulator  chose  7,;  and  7/s.  In  particular,  consider  the 
term  K  in  the  decryption  key  component  DK.  Group  the  terms  in  K: 


K 


In  the  above,  the  product  term  uf'W1  can  be  efficiently  computed  since  all  terms  involving 
gpb  cancel  out: 


Similarly,  for  all  i  G  W(cr),  the  following  term  in  the  delegation  component  DL,  can  be 
efficiently  computed: 


Clearly,  all  remaining  terms  in  DK  or  DL  can  be  efficiently  computed,  since  the  simulator 
knows  all  necessary  parameters. 
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•  If  the  token  matches  neither  selected  point,  there  exists  coordinate  c  G  S(a),  such  that 
Ac  =  ac  —  Xp  c  ^  0.  In  this  case,  the  simulator  uses  the  following  strategy  to  compute  the 
decryption  key  component  DK.  The  simulator  first  picks  random  7,7  G  Zn.  It  also  picks 
random  tc  G  Zn,  and  lets 

+  _  7  a( 7X  +  tx) 

A 

without  actually  computing  tc.  Except  for  the  above,  the  simulator  follows  the  GenToken 
algorithm  to  compute  the  token  requested.  Notice  that  the  token  can  be  computed  efficiently, 
since  all  terms  involving  the  unknown  parameter  g cancel  out.  In  particular,  in  the  decryp¬ 
tion  key  components  DK,  group  the  terms  in  K: 


The  product  term  vPvT/(u"ch,c)t,:  can  be  efficiently  computed,  since  all  terms  involving  the 
unknown  parameter  gpb  cancel  out: 

w^vP(u?hcy<  =  gyp\u^hcf{gap)~z^ 

where  0C  =  '  ^  A"' } .  In  addition,  we  observe  that  the  term  Kc  =  vtcYc  can  be  computed 
efficiently  since  the  simulator  knows  gp.  Clearly,  all  other  terms  in  DK  can  be  computed 
efficiently. 

To  generate  the  delegation  components  DL,  we  can  apply  the  same  trick,  i.e.,  by  letting 

_  ^  a(jiX  +  %x) 

$i,c  $i,c  a 

McAc 

for  every  i  G  W(cr).  shC  is  picked  at  random  from  Zn. 

Challenge.  The  adversary  submits  two  messages  Msg0  and  Msg,  to  the  simulator.  The  simula¬ 
tor  creates  the  following  ciphertext: 

c  =  O',  Co  =  Q,yYxZ0,  CV  =  y%,  V*  G  [£]  :  Ci  =  Q,ZiZi 

In  addition,  if  Msg0  =  Msgx,  the  simulator  lets  C  =  e(gp,  Q')a.  Otherwise,  C  is  replaced  by  a 
random  element  from  G t-  Observe  that  if  O'  =  (),  the  ciphertext  is  identically  distributed  as  in 
Game3.  Otherwise,  if  ()'  is  a  random  element  from  Gpq,  the  ciphertext  is  identically  distributed  as 
in  Game4. 

Query  2.  Same  as  the  Query  1  stage. 

Guess.  The  adversary  outputs  a  guess  /T  of  f3.  By  the  C3DH  assumption,  a  poly-time  adversary 
cannot  have  more  than  negligible  difference  in  its  advantage  in  Game3  and  Game4. 
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4.6.7  Indistinguishability  of  Game4  and  Game5 

Let  E  denote  the  set  of  indices  i  where  the  two  committed  points  are  not  equal,  i.e.,  XPl  ^  X*^ 
Let  Game4i0  :=  Game4.  We  define  a  sequence  of  games  Game4j,  Game4)2, . . . ,  Game4  Let 

Ei  C  E  denote  the  first  i  indices  in  E.  In  Game4:,  (1  <  i  <  \E\),  the  challenger  creates  ciphertext 
components  C,  C,  and  Cj  normally  for  all  j  ^  Ei.  For  all  j  e  E,.  the  challenger  replaces  Cj  with 
a  random  group  element  from  Gpq .  For  Co,  C0,  the  challenger  creates  the  following  ciphertext 
components  like  in  game  Game4: 

Co  =  Wpg^p'Zo,  C0  =  WPgp'Z * 

where  p'  is  a  random  group  element  from  7LV.  Recall  that  the  simulator  picks  tt  7  7hv  at  random 
prior  to  the  game  starts,  and  7r  is  hidden  from  the  adversary.  Whenever  the  adversary  makes  a  query 
that  matches  both  selected  points,  the  simulator  picks  the  exponents  for  w  and  W  in  a  correlated 
way  such  that  7  =  irj,  7 j  =  ^7*  for  all  i  e  W(cr).  It  is  not  hard  to  see  that  Game4 ^  =  Game,5. 

We  now  prove  Lemma  14.6.51  and  show  that  a  poly-time  adversary  cannot  have  more  than 
negligible  difference  in  its  advantage  in  Game4  and  Game5.  Because  of  the  hybrid  argument,  it 
suffices  to  show  that  Game4  rf  is  computationally  indistinguishable  from  Game4  rf+1,  where  0  < 
d  <  \E\. 

We  prove  this  by  supposing  that  a  poly-time  adversary  A  has  more  than  negligible  difference 
in  its  advantage  against  Game4irf  and  Game4)(i+4.  Now  we  build  a  simulator  B  that  leverages  A  to 
solve  the  C3DH  problem. 

The  challenger  first  creates  a  3-Party  challenge: 

(p,  q,r,  G,  &r,e)  A  GG(A),  n  <-  pq,  gp  Gp,  gq  A  Gq,  gr  Gr 

Rl,  R2,  R3  G q 

a,b,c  A  Zn 

Z  (( n ,  G,  G T,  e),  gp,  gq,  gr,  9P,  9bp,  r  =  gf  ■  Ru  Y  =  gfc  ■  R2) 

Q  <-  9p-  R3 

It  then  randomly  decides  whether  to  give  (Z,  ()'  =  Q )  or  (Z.  O'  =  R )  where  R  is  a  random 
element  in  Gpq. 

We  create  the  following  simulation: 


Init.  The  adversary  commits  two  points  to  the  simulator,  X(*  and  X*.  The  challenger  flips  a 
random  coin  /3  internally. 

Setup.  Let  5  denote  the  d  +  1-th  index  in  E. 

The  simulator  first  chooses  random  (RUti,  Rh,i),  ■  ■  • ,  {Ru,i,  Rh,e)  £  G^  and  random  pi,yi,. . ., 

Eh  De  %n- 
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The  simulator  first  publishes  the  group  description  and  gq,griV  =  gpRv,  where  Iiv  is  a  random 
element  from  subgroup  Gr.  It  picks  a  random  a  e  Zn  and  lets  A  =  e{V.  gp)a.  It  creates 


Us  =  gpsRu.s,  Hs  =  gP  MXllr ysRh,s 

Next,  for  alH  7^  5  it  creates 

Ui  =  g!?Ru,i,  ^  =  gpIMX*0'' gp  Rh,i 


Finally,  the  simulator  picks  random  R,w ,  R—  from  Gq,  and  random  exponents  x.  y.  y  from  Zn, 
and  computes 

W  =  gxp(gbpyRw,  W=(gbpfRw 

We  observe  that  the  parameters  are  distributed  identically  to  the  real  scheme. 

The  simulator  also  sets  7 r  =  —y/y.  We  observe  that  7r  is  information  theoretically  hidden  from 
the  adversary. 


Query  1.  Whenever  the  simulator  receives  a  “reveal  token”  query  from  the  adversary,  it  needs  to 
compute  a  token  of  the  appropriate  form  and  return  it  to  the  adversary.  The  token  that  the  adversary 
is  requesting  can  be  one  of  the  following  three  cases:  1)  non-delegated,  2)  Type  1  delegated,  3) 
Type  2  delegated.  Recall  that  the  simulator  generates  Type  1  and  non-delegated  tokens  freshly  at 
random.  Meanwhile,  S  ecti o n  14.6.41  p ro v i de s  an  algorithm  for  generating  Type  2  tokens.  It  suffices 
now  to  show  how  to  generate  tokens  freshly  at  random. 

Consider  that  the  simulator  has  received  a  query  from  the  adversary  for  a  non-delegated  token 
or  a  Type  1  delegated  token  cr.  Recall  that  a  should  not  separate  the  two  committed  points  X/  and 
X*.  Hence,  exactly  one  of  the  following  two  cases  must  be  true.  Let  E  denote  the  set  of  indices 
i  where  the  two  committed  points  are  equal,  i.e.,  X,*t  ^  X*{,  and  E  =  [i]\E  denote  the  set  of 
indices  where  X q  and  X3  are  not  equal. 

Case  1.5^  5(a)  U  W(a). 

Case  2.  5  e  5(a)  U  W(a).  There  must  exist  i,j  e  5(a),  such  that  a*  7^  and  a3  ^  X{.  In  other 
words,  the  query  a  does  not  match  either  of  the  committed  identities. 

Case  1.  In  Case  1,5^  U  W(a).  The  simulator  checks  if  the  requested  token  matches  both 
selected  points.  If  so,  the  simulator  picks  correlated  exponents  for  w  and  w:  7  =  717,  and  7,  =  nxt 
for  all  i  G  VV(a).  (Recall  that  the  simulator  sets  7r  =  —y/y.)  The  simulator  proceeds  to  generate 
the  remaining  parts  of  the  token  according  to  the  GenToken  algorithm.  Otherwise,  if  the  requested 
token  matches  neither  of  the  selected  points,  the  simulator  simply  follows  the  GenToken  algorithm 
to  generate  the  token.  It  is  not  hard  to  see  that  the  token  can  be  efficiently  computed  in  this  case, 
since  the  simulator  knows  uu  hi  for  all  1  ^  6,  as  well  as  other  parameters  needed. 

Case  2.  This  is  the  more  complicated  case,  since  the  simulator  does  not  know  hs  which  contains 
the  term  gpb.  Also,  in  this  case,  the  token  queried  does  not  match  either  of  the  selected  points. 
Therefore,  the  simulator  will  leverage  w  and  w  to  cancel  out  the  unknown  parameters  in  hs- 

We  first  describe  how  to  generate  the  decryption  key  component  DK.  If  <5  ^  5(a),  then  it  is 
trivial  for  the  simulator  to  generate  DK,  since  the  unknown  parameter  hs  does  not  appear  in  DK, 


78 


and  the  simulator  knows  all  parameters  required.  If  5  G  S(a )  the  simulator  picks  t, 5,7'  G  7Ln  at 
random,  and  lets  7  be  the  following  without  actually  computing  it. 

7  =  7'-  atsys/y 

Now  the  simulator  follows  the  GenToken  algorithm  to  generate  remaining  parts  of  the  decryption 
key  DK.  DK  can  be  efficiently  computed,  even  though  the  simulator  does  not  know  g pb,  as  all  terms 
involving  g pb  cancel  out  in  DK.  In  particular,  consider  the  term  K  in  DK.  Group  the  terms  in  K : 


The  product  term  UP  (u^shs)ts  can  be  efficiently  computed  since  all  terms  involving  gpb  cancel  out: 

Up(u?hs)ts  =  (gbpr'g^ 

where  As  =  as  —  Xq  s.  Meanwhile,  the  term  I\0  =  iPY^  can  be  efficiently  computed  since  the 
simulator  knows  gp.  It  is  not  hard  to  see  that  all  remaining  terms  in  DK  can  be  efficiently  computed. 

We  show  how  to  generate  the  delegation  components.  The  simulator  can  use  exactly  the  same 
strategy  to  generate  DL.  Basically,  for  all  i  G  W(cr),  the  simulator  picks  s^s,  7'  G  Zn  at  random, 
and  lets  7,  be  the  following  without  actually  computing  it: 

7*  =  li  -  asi}5ys/y 

In  this  way,  depending  on  whether  8  G  S(a)  or  <5  G  W(a)  the  product  uP^u^hsY^6  or  UPRi^1’6 
can  be  efficiently  computed,  since  terms  involving  gpb  cancel  out. 

Challenge.  The  adversary  submits  two  messages  Msg0  and  Msg  ( .  Let  E  denote  the  set  of 
indices  %  such  that  L  ^  X\  r.  Let  Ed  denote  the  first  d  indices  in  E.  The  simulator  picks  random 
P  G  Gpq,  Z0,  Zq)  G  Gq,  and  Z,  G  Gq  for  all  i  G  [£].  The  simulator  creates  the  following  ciphertext: 

C  =  Q',  C0  =  Q,xPyZ0l  C(jt  =  PffZ4>,  Cs  =  Yy*Zs,  Vi  ±  d  andz  £  Ed  :  Ci  =  Q'ViZi 

For  all  i  G  Ed,  the  simulator  picks  a  random  element  in  Gpq  for  6', .  In  addition,  if  Msg0  = 
Msgx,  the  simulator  computes  C  =  e(gp,  Q')a\  otherwise,  the  simulator  replaces  C  with  a  random 
element  from  Notice  that  if  O'  =  (),  then  the  above  simulation  is  identically  distributed  as 
Gainey.  Otherwise,  if  Q'  =  R,  the  simulation  is  identically  distributed  as  Game^+i. 

Query  2.  Same  as  phase  Query  1. 

Guess.  The  adversary  outputs  a  guess  /3'  of  f3.  If  the  adversary  guesses  correctly,  i.e.,  (3 '  =  (3, 
the  simulator  guesses  that  Q'  =  Q  in  the  C3DH  instance.  Otherwise,  the  simulator  guesses  that 
Q'  =  R.  It  is  not  hard  to  see  that  any  advantage  of  the  adversary  in  distinguishing  f3  translates  to 
the  simulator’s  advantage  in  solving  the  C3DH  problem. 
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4.7  dHVE  Full  Security 

We  formally  define  the  security  of  dHVE  through  the  following  security  game  between  a  challenger 
and  an  adversary. 

•  Setup.  The  challenger  runs  the  Setup  algorithm,  and  gives  the  adversary  the  public  key  PK. 

•  Query  1.  The  adversary  adaptively  makes  a  polynomial  number  of  “create  token”,  “create 
delegated  token”,  or  “reveal  token”  queries.  The  challenger  answers  these  queries  accord¬ 
ingly. 

•  Challenge.  The  adversary  outputs  two  pairs  (Msg0,  X0),  (Msgl5  X{)  e  {0, 1}*  x  T,e  subject 
to  the  following  constraints: 

For  any  token  a  revealed  to  the  adversary  in  the  Query  1  stage,  let  Ca  denote  the  set  of 
conjunctive  queries  corresponding  to  this  token. 

1.  Forall/eCCT,/(X0)  =  /(X1). 

2.  If  3/  e  Cfj ,  f(X 0)  =  f(X1)  =  1,  then  Msg0  =  Msgl. 

The  challenger  flips  a  random  coin  b  and  returns  an  encryption  of  (Msgb,  Xb)  to  the  adver¬ 
sary. 

•  Query  2.  Repeat  the  Query  1  stage.  All  tokens  revealed  in  this  stage  should  satisfy  the  same 
condition  as  above. 

•  Guess.  The  adversary  outputs  a  guess  b'  of  b. 

As  before,  the  advantage  of  an  adversary  A  in  the  above  game  is  defined  to  be  Adv^  =  |  Pr  [b  = 
b']  —  1/2 1 .  We  say  that  a  dHVE  construction  is  secure  if  for  all  polynomial  time  adversaries,  its 
advantage  in  the  above  game  is  a  negligible  function  of  A. 


4.8  Anonymous  Hierarchical  Identity-Based  Encryption  with 
Short  Private  Keys 


In  Sectionl4.1.2l  we  propose  a  new  and  complete  security  definition  for  delegation  in  these  (anony¬ 
mous)  IBE  systems.  By  contrast,  previously,  researchers  have  used  an  under-specified  security 
game,  where  the  adversary  does  not  get  to  specify  how  each  queried  token  is  derived.  We  now 
show  one  advantage  of  being  able  to  capture  such  nuances  in  our  security  definition,  by  giving 
an  Anonymous  Hierarchical  Identity-Based  Encryption  (AHIBE)  construction  with  shorter  private 
keys  than  the  original  construction  by  Boyen  and  Waters  13]. 

To  achieve  this,  we  rely  on  the  same  technique  that  we  use  for  our  dHVE  construction:  we 
multiply  the  private  keys  by  random  group  elements  in  the  third  subgroup  Gr,  so  that  the  private 
keys  are  computationally  indistinguishable  from  being  picked  freshly  at  random. 

For  consistency,  we  build  our  AHIBE  scheme  based  on  composite  bilinear  groups  and  the 
C3DH  assumption,  rather  than  the  Decisional  Linear  assumption  adopted  by  the  original  BW  con¬ 
struction.  One  can  easily  build  the  scheme  using  the  Decisional  Linear  assumption  as  well. 
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Ill  comparison,  the  original  BW  construction  has  0(D 2)  private  key  size  and  our  construction 
has  0(D)  private  key  size,  where  D  denotes  the  depth  of  the  hierarchy.  Meanwhile,  we  preserve 
all  other  costs  asymptotically,  including  ciphertext  size,  encryption  cost,  and  decryption  cost. 

4.8.1  Construction 

Setup(  1A,  D):  The  setup  algorithm  takes  as  input  a  security  parameter  aA,  the  maximum  depth 
D  E  N,  and  outputs  public  parameters  PK  and  the  corresponding  master  secret  key  MSK. 
The  setup  algorithm  first  chooses  random  large  primes  p,q,r  >  m  and  creates  a  bilinear 
group  G  of  composite  order  n  =  pqr,  as  specified  in  Section  14.31  Next,  it  picks  a  random 
g,v  E  Gp,  gq  E  Gq,  gr  E  Gr,  a  random  exponent  a  E  Zp,  and  random  elements 


Vn  G  [0,  D  +  1],  W  G  [0,  D]  :  un^  Gp 


It  keeps  all  the  above  as  the  master  secret  key  MSK.  The  Setup  algorithm  then  chooses  the 
following  blinding  factors  in  Gq: 


Rv,  Vn  G  [0,  D  T  1],  W  G  [0,  D\  :  Rn,i  i —  Gq 


Extract( PK,  MSK,X):  The  Extract  algorithm  takes  as  input  the  public  key  PK,  the  master  se¬ 
cret  key  MSK,  and  an  ID  tuple  X  =  (J0,  h,  ■  ■  ■ ,  h)  £  (Z*  )1+L,  where  L  E  [D],  and  by 
convention,  I0  —  1.  The  algorithm  generates  a  private  key  corresponding  to  the  identity  X. 

•  Pick  random  exponents  r0,  ri, . . . ,  r j + n  from  Zp.  Pick  random  blinding  factors  Y,  Y0, 
Yu  . . .,  Y1+d  from  Gr,  and  random  Y{+L,  X2'+L, . . . ,  Y'D  from  Gr. 

•  Compute  the  decryption  key  portion  of  the  private  key: 


•  Compute  the  following  delegation  components  of  the  decryption  key: 


Derive( PK,  Pvkz\L-i,X)  The  Derive  algorithm  takes  as  input  the  public  key  PK,  and  derives  a 
private  key  for  X  =  (J0,  h,  ■  ■  ■ ,  II )  from  a  parent  key  for  J|L  —  1  :=  (J0,  h,  ■  ■  ■ ,  II- i). 

•  First,  express  the  parent  key  using  the  same  notation  as  before:  Pvki|^_i  =  (DK,  DL), 


where  DK  =  (K,  K0l  Ku  . . . ,  Kl+D),  and  DL  =  ( JL ,  J1+L, . . . ,  JD). 
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•  Next,  pick  a  random  exponent  r  G  Zn,  and  random  blinding  factors  Y. ,  Yih  . . . ,  Y]+D, 
and  Y(+l,  . . . ,  Y'd  from  Gr. 

•  Compute  the  decryption  key  portion  of  the  child  key: 

DK'=  {K'  =  (K-  J^YY,  Vne[0,l  +  D}:  K'n  =  KTnYn) 

•  Compute  the  delegation  components  of  the  child  key: 

DL '  =  (We  [!  +  £,£>]: 


Encrypt(PK,l,  Msg)  The  Encrypt  algorithm  takes  a  public  key  PK,  and  encrypts  a  message 
Msg  to  an  identity  X  =  (J0,  h, . . . ,  II )•  The  algorithm  proceeds  as  follows: 

•  Pick  a  random  exponent  s  G  Zn.  Pick  random  blinding  factors  Z,  Z0,  Z\ . . . . ,  Z\  +  j} 
from  Gq. 

•  Compute  the  following  ciphertext: 

CT  =(c  =  MsgAs,  C  =  Vs Z,  Vn  G  [0,  1  +  D]  :  Cn  =  (J]  U^)sZn 

\  £=0 


Decrypt^ PK,  Pvkj,  CT)  The  Decrypt  algorithm  takes  a  public  key  PK,  a  private  key  Pvkj,  and 
decrypts  a  ciphertext  CT.  Using  the  same  notation  for  the  ciphertext  and  the  private  key  as 
before,  decrypt  the  message: 


c  ■  n’Z  e(C-  A'„ 

e(C.A’) 


Msg 


4.8.2  Security  of  construction 


Theorem  4.8.1  The  above-defined  A-HIBE  construction  is  internally  consistent.  In  addition,  it  is 
IND-sID-CPA  and  ANON-sID-CPA  secure  under  the  cBDH  and  C3DH  assumptions  in  the  bilinear 
group  G. 

See  the  original  BW  paper  [13]  for  detailed  definitions  of  IND-sID-CPA  and  ANON-sID-CPA 
security. 

The  proof  of  the  consistency  is  straightforward.  Proof  of  security  can  be  done  in  the  following 
steps: 


•  As  we  multiply  all  elements  of  the  private  key  with  a  random  group  element  from  the  third 
subgroup  Gr,  we  can  show  that  private  keys  generated  by  the  Derive  algorithm  are  compu¬ 
tationally  indistinguishable  from  being  picked  freshly  at  random. 


•  Show  that  if  private  keys  were  really  generated  freshly  at  random  rather  than  by  calling  the 
Derive  algorithm,  the  scheme  would  be  IND-sID-CPA  and  ANON-sID-CPA  secure.  This 
part  of  the  proof  is  done  in  a  manner  similar  to  that  of  the  BW  construction  |E1]-  The  only 
exception  is  that  we  now  replace  the  Decisional  Linear  assumption  by  the  C3DH  assumption. 
However,  the  gist  of  the  proof  remains  unchanged. 

We  omit  the  complete  proof  in  this  thesis,  since  it  is  very  similar  to  the  proof  of  our  dHVE 
construction. 
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Chapter  5 

Query  Privacy  in  Predicate  Encryption 


In  this  chapter,  we  present  a  predicate  secret-key  encryption  scheme  that  not  only  hides  the  plain¬ 
text  encrypted,  but  also  protects  the  privacy  of  the  query  predicates.  Our  construction  supports 
inner-product  queries.  We  begin  by  motivating  why  query  privacy  is  an  important  problem. 


5.1  Query  Privacy  in  Predicate  Encryption 

The  schemes  described  so  far  are  in  the  public-key  setting.  While  they  guarantee  the  secrecy  of 
the  plaintext  encrypted,  they  do  not  provide  any  guarantees  of  secrecy  on  the  query  predicate.  In 
fact,  if  Alice  sends  Google  a  capability  to  search  on  her  encrypted  emails,  Google  can  infer  some 
information  about  the  query  embedded  in  the  capability. 

Leaking  information  about  the  query  predicate  may  also  be  undesirable  in  certain  applications. 
For  example,  Alice  stores  her  encrypted  documents  on  a  remote  server,  and  would  like  to  perform 
searches  on  the  encrypted  data.  Ideally,  Alice  would  like  to  hide  from  the  remote  server  not  only 
her  documents,  but  also  her  queries,  as  the  queries  can  reveal  sensitive  information  just  like  the 
documents.  Alice  could  make  a  query  for  documents  containing  the  keyword  “cardiologist”,  which 
reveals  her  sensitive  medical  information.  Unfortunately,  in  public-key  predicate  encryption,  it  is 
inherently  impossible  to  guarantee  the  privacy  of  the  queries  (roughly  in  the  semantic  security 
sense).  This  reason  is  rooted  in  the  fact  that  anyone  can  encrypt  using  the  public  key.  Suppose  that 
the  server  would  like  to  leam  whether  a  token  TK  corresponds  to  the  query  (DOCUMENT  contains 
“cardiologist”),  the  server  can  take  the  public  key,  and  encrypt  a  document  containing  the  keyword 
“cardiologist”.  Now  the  server  can  simply  apply  the  token  TK  on  the  resulting  ciphertext  to  check 
if  they  match.  Due  to  this  observation,  prior  work  on  public-key  predicate  encryption  addresses 
only  privacy  of  the  plaintexts  (henceforth  referred  to  as  plaintext  privacy),  but  not  privacy  of  the 
queries  (henceforth  referred  to  as  query  privacy ). 

The  above  observation  tells  us  query  privacy  is  not  possible  in  the  public-key  setting.  In  other 
words,  if  we  would  like  to  guarantee  query  privacy,  we  cannot  let  everyone  have  the  ability  to 
encrypt.  Naturally,  this  raises  the  following  question:  what  if  we  consider  the  secret-key  setting 
where  only  the  owner  of  the  secret  key  can  encrypt?  Is  it  possible  to  guarantee  query  privacy 
in  addition  to  plaintext  privacy  in  the  secret-key  setting?  In  this  chapter,  we  demonstrate  that 
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it  is  indeed  possible  to  achieve  both  query  privacy  and  plaintext  privacy  in  secret-key  predicate 
encryption.  Moreover,  our  construction  supports  expressive  queries. 

In  this  chapter,  we  present  a  secret-key  predicate  encryption  scheme  which  guarantees  both 
plaintext  privacy  and  query  privacy.  Our  construction  supports  inner-product  queries. 


Why  inner-product  queries?  An  important  goal  in  predicate  encryption  is  the  ability  to  support 
complex,  expressive  queries.  Researchers  have  made  many  endeavors  towards  this  goal.  The 
earliest  schemes  in  the  public-key  setting  ULUS  J_3]  support  equality  test  queries  such  as(YEAR 
=  2009).  Later,  researchers  invented  schemes  supporting  conjunctive  queries  [lj,  25,  37]  such 
as  (YEAR  =  2009)  A  (MONTH  =  jan).  An  extension  of  conjunctive  queries  is  multi-dimensional 
range  queries  [35].  Recently,  Katz,  Sahai  and  Waters  0  took  another  big  step  forward  in  this 
direction  and  proposed  a  scheme  supporting  inner-product  queries.  We  point  out  that  inner-product 
query  is  strictly  more  expressive  than  conjunctive  queries.  In  the  KSW  paper  [28j],  the  authors 
explicitly  show  why  inner-product  queries  imply  conjunctions,  disjunctions,  CNF/DNF  formulas, 
polynomial  evaluation  and  exact  thresholds.  The  KSW  construction  is  in  the  public-key  setting, 
and  does  not  guarantee  query  privacy. 

Naturally,  a  reasonable  goal  to  aim  for  is  a  scheme  whose  expressiveness  matches  the  most 
powerful  public-key  predicate  encryption  known  to  date.  This  is  the  reason  why  we  consider 
inner-product  queries.  Our  construction  is  the  first  secret-key  predicate  encryption  scheme  that 
guarantees  query  privacy  and  supports  expressive  queries. 


Definitional  issues.  One  of  our  contributions  is  to  rethink  the  definition  of  query  privacy.  Al¬ 
though  query  privacy  has  previously  been  studied  in  the  secret-key  setting  for  keyword-based 
queries  by  Song  et  al.  [39],  and  Curtmola  et  al.  [19|],  the  security  definition  adopted  in  these  works 
are  not  yet  satisfactory,  and  may  be  strengthened.  In  this  thesis,  we  rethink  how  to  formally  define 
the  security  of  Secret-Key  Predicate  Encryption  (MRQED).  Ideally,  we  would  like  to  reveal  the  ab¬ 
solutely  minimal  information  to  the  storage  server.  We  capture  this  intuitive  notion  through  the  full 
security  definition  (see  Definition  15 .3 .31).  As  the  full  security  definition  is  hard  to  work  with,  we 
propose  an  alternative  security  definition  (see  Definition  15.3.41)  called  Single  Challenge  Indistin- 
guishability  (SCI).  This  security  notion  resembles  the  adaptive  security  notion  adopted  by  previous 
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identity -based  encryption  and  predicate  encryption  schemes  O,  LL2J,  [lj,  [l4 , 
strate  in  Proposition  15.3.21  that  SCI  security  is  just  “as  good  as”  full  security  for  inner-product 
queries.  Our  construction  satisfies  a  relaxation  of  SCI  security.  The  relaxation  is  similar  to  the  se¬ 
lective  variants  frequently  used  in  prior  identity-based  encryption,  attributed-based  encryption  and 
predicate  encryption  schemes  s  Q  03, 03.- 03  35],  We  emphasize  that  even  the  relaxed  security 
model  we  use  in  our  proofs  is  stronger  than  the  security  definitions  adopted  by  Song  et  al.  119], 
and  Curtmola  et  al.  [IjJ. 


Proof  techniques.  Our  proof  techniques  can  be  of  independent  interest.  We  observe  that  cipher- 
texts  and  tokens  are  symmetric  in  functionality  and  security  requirement,  and  we  leverage  such 
symmetry  in  our  proofs.  More  specifically,  we  observe  that  if  the  ciphertext  and  token  are  sym¬ 
metrically  formed,  then  by  proving  plaintext  privacy,  we  obtain  query  privacy  for  free.  Therefore, 
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one  possible  approach  is  to  build  a  KSW-like  construction,  where  the  ciphertext  and  the  token  are 
symmetrically  formed,  or  computationally  indistinguishable  from  being  symmetrically  formed.  In 
this  way,  we  can  leverage  a  KSW-style  proof  to  establish  plaintext  privacy,  and  then  rely  on  the 
symmetry  argument  to  establish  query  privacy. 


5.2  Applications  of  SK-PE 

In  the  privacy-preserving  Gmail  example  mentioned  at  the  beginning  of  this  thesis,  it  may  be  more 
appropriate  to  use  public-key  encryption,  since  anyone  in  the  world  should  be  able  to  use  the 
public-key  to  send  an  encrypted  email  to  Alice.  In  this  case,  the  public-key  used  for  encryption  is 
known  to  the  entire  world. 

On  the  other  hand,  secret-key  encryption  is  more  appropriate  in  other  scenarios.  Below,  we  list 
some  potential  applications  of  secret-key  predicate  encryption. 

Private  Google  Docs  In  private  Google  Docs,  Alice  uses  her  secret  key  to  encrypt  her  documents 
before  storing  them  on  Google  Docs.  Later,  when  Alice  wishes  to  search  these  documents,  she  can 
use  secret  key  to  construct  a  token  corresponding  to  her  query,  and  send  the  token  to  Google.  Using 
this  token,  Google  can  decide  exactly  which  documents  match  Alice’s  search  criterion,  without 
learning  any  additional  information.  This  means  that  Google  learns  nothing  about  the  encrypted 
documents,  and  nothing  about  her  search  criterion. 


Private  del.icio.us  delicious  .  com  is  a  web-service  allowing  users  to  store  browsing  history 
and  bookmarks,  and  share  them  with  friends.  Alice  may  not  care  about  her  privacy,  if  she  book¬ 
marks  innocuous  websites  such  as  movies  .  yahoo  .  com,  or  imdb  .  com.  However,  she  may 
care  about  her  medical  privacy,  and  if  she  wishes  to  bookmark  the  website  of  a  hospital,  she  may 
become  a  little  concerned  about  leaking  this  information  to  del.icio.us.  Such  privacy  concerns  can 
be  addressed  using  secret-key  predicate  encryption.  Alice  can  use  her  secret  key  to  encrypt  her 
sensitive  bookmarks  before  storing  them  on  del.icio.us.  Later,  when  she  wishes  to  search  for  her 
bookmarks,  she  can  use  her  secret  key  to  generate  a  token,  and  del.icio.us  can  now  use  this  token 
to  perform  search  for  Alice. 


5.3  Definitions:  SK-PE  for  General  Queries 


Although  in  this  thesis,  we  consider  a  specific  predicate  family,  inner-product  queries,  we  would 
like  to  phrase  the  problem  of  secret-key  predicate  encryption  also  in  general  terms.  We  hope  that 
the  generic  definition  can  inspire  researchers  to  invent  secret-key  predicate  encryption  schemes 
that  support  more  powerful  queries  than  inner  products  —  the  version  we  propose  in  this  thesis. 

For  simplicity,  we  consider  the  predicate-only  version.  We  note  that  it  is  not  hard  to  incorporate 
a  payload  message  into  the  construction  using  techniques  described  in  prior  predicate  encryption 
schemes  1 12 ,  28,35  ] . 
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More  importantly,  we  rethink  the  security  definition  for  SK-PE.  Our  security  definition  should 
capture  the  intuition  that  the  remote  storage  server  learns  only  Alice’s  access  pattern,  and  nothing 
more.  In  particular,  the  storage  server  does  not  leam  anything  about  Alice’s  encrypted  documents, 
nor  about  what  queries  Alice  is  making. 

We  now  give  general  definitions  for  Secret-Key  Predicate  Encryption  (SK-PE)  as  well  as  its 
security.  A  Secret-Key  Predicate  Encryption  (SK-PE)  scheme  consists  of  the  following  (possibly 
randomized)  algorithms. 

Definition  5.3.1  (Secret- key  predicate  encryption)  A  Secret-Key  Predicate  Encryption  (SKPE) 
system  consists  of  the  following  ( possibly  randomized )  algorithms. 

Setup(  1A):  The  Setup  algorithm  takes  as  input  a  security  parameter  1A,  and  outputs  a  secret  key 
MSK. 

Encrypt (MSK,  x):  The  Encrypt  algorithm  takes  as  input  a  secret  key  MSK,  a  plaintext  x  6 
{0, 1}£;  and  outputs  a  ciphertext  CT. 

GenToken( MSK,  /):  The  GenToken  algorithm  takes  as  input  a  secret  key  MSK,  and  a  query 
predicate  /  :  {0,1}^  — >  {0,1}.  It  outputs  a  token  TKy  that  allows  one  to  evaluate  f(x)  over 
an  encryption  of  x.  As  mentioned  above,  we  assume  that  the  query  predicate  can  be  encoded 
with  a  bitstring  of  length  m. 

Query(TKf,  CT):  The  Query  algorithm  takes  as  input  a  token  TKj  for  the  predicate  /,  and  a 
ciphertext  CT  which  is  an  encryption  of  x  G  {0, 1}£,  the  algorithm  outputs  f(x). 

5.3.1  Full  Security 

Public-key  predicate  encryption  schemes  guarantee  the  secrecy  of  the  ciphertext;  however,  they  do 
not  guarantee  the  secrecy  of  the  tokens.  In  fact,  for  public-key  predicate  encryption,  it  is  inherently 
impossible  to  achieve  ciphertext  secrecy  and  token  secrecy  simultaneously.  This  is  due  to  the  fact 
that  anyone  is  able  to  encrypt  using  the  public-key.  In  the  Gmail  example,  if  Google  would  like 
to  know  whether  a  token  corresponds  to  the  query  “Title  =  cryptography”,  Google  can  simply 
encrypt  an  email  whose  “Title  =  cryptography”  using  the  public-key,  and  test  the  token  against 
the  resulting  ciphertext. 

In  secret-key  predicate  encryption,  it  is  possible  to  guarantee  the  secrecy  of  both  the  plaintext 
(encoded  in  a  ciphertext)  and  that  of  the  query  (encoded  in  a  token).  This  provides  even  stronger 
privacy  guarantees  in  practice. 

We  now  formally  define  the  security  for  secret-key  predicate  encryption.  As  mentioned  above, 
our  definition  aims  to  guarantee  the  secrecy  of  the  plaintext,  as  well  as  the  query. 

To  explain  the  intuition  behind  our  security  definition,  consider  a  privacy-preserving  remote 
storage  application,  where  Alice  stores  her  encrypted  documents  on  a  remote  server,  and  later  is¬ 
sues  tokens  to  the  server  to  search  for  matching  documents.  Our  goal  is  to  leak  as  little  information 
to  the  storage  server  as  possible.  Under  our  model,  Alice  makes  a  query  by  submitting  a  token  to 
the  server,  and  the  server  learns  exactly  which  of  her  encrypted  documents  match  the  query,  and 
returns  the  matching  documents  to  Alice.  Therefore,  in  this  framework,  the  server  inevitably  learns 
Alice’s  access  pattern ,  a.k.a,  which  documents  Alice  retrieves  with  each  query. 
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We  would  like  to  define  security  in  the  strongest  sense  possible:  informally,  the  storage  server 
should  learn  only  Alice’s  access  pattern,  and  nothing  more.  In  particular,  this  implies  that  the 
server  learns  nothing  about  Alice’s  encrypted  documents,  or  what  queries  she  is  making. 

To  capture  the  notion  that  the  server  learns  only  Alice’s  access  pattern,  we  need  to  first  formally 
define  what  access  pattern  means.  Intuitively,  the  access  pattern  is  the  outcomes  of  q  predicates  on 
n  plaintexts. 

Definition  5.3.2  (Access  pattern)  Let  X  =  (aq,  x2,  •  •  • ,  xn)  denote  an  ordered  list  of  n  plaintexts, 
where  Xi  G  {0, 1 Y  for  1  <  i  <  n.  Let  F  =  (/i,  f2, . .  . ,  fq)  denote  an  ordered  list  of  q  query 
predicates,  where  ft  G  {0, 1  }m  for  1  <  i  <  q.  The  access  pattern  on  X  and  F  is  an  q  x  n  matrix: 


AccessPattern(A,  F) 


flfrl),  fl  O2),  •  •  •  ,  fl  On) 
/2O1),  /2O2),  •  •  ■ ,  Mxn) 


.  fq(Xl),  fq(x 2),  •  •  •  ,  fq(xn)  _ 

We  now  proceed  to  define  the  security  for  SKPE.  Let  X  =  (xi,x2,...,  xn),  X'  =  (xfx^, . . . ,  x'n) 
denote  two  ordered  lists  of  plaintexts.  Let  F  =  (/1,  /2, . . . ,  fq),  F'  =  (/(,  ff  . . . ,  /')  denote  two 
ordered  lists  of  queries  predicates.  Now  imagine  the  following  two  worlds.  In  World  0,  the  server 
sees  n  encrypted  documents  (Enc(a;i),  Enc(x2), . . . ,  Enc(xri))  and  q  tokens  (TK/1;  TK /2,  . . . ,  TK /J. 
In  World  1,  the  server  sees  n  encrypted  documents  (Enc(a:/1),  Enc(x'2), . . . ,  Enc(x^))  and  q  tokens 
(TKj/,  TK y/, . . . ,  TK//).  Suppose  the  two  worlds  have  the  same  access  pattern,  i.e., 


AccessPattern(A,  F)  =  AccessPattern(A',  F') 


Informally,  the  server  should  not  be  able  to  distinguish  between  the  two  worlds.  The  security 
definition  presented  below  describes  a  game  between  a  challenger  and  an  adversary,  and  is  intended 
to  capture  this  notion  of  indistinguishability  between  two  these  worlds.  Moreover,  the  definition 
considers  an  adaptive  adversary:  an  adversary  who  can  choose  what  ciphertext/token  queries  to 
make  depending  on  the  previous  interactions  with  the  challenger. 

Definition  5.3.3  (SKPE  full  security)  We  say  that  an  SKPE  scheme  is  fully  secure,  if  all  polynomial- 
time  adversaries  have  negligible  advantage  in  the  following  game. 

Setup.  The  challenger  runs  the  Setup  algorithm,  and  retains  the  secret  key  MSK  to  itself.  In  ad¬ 
dition,  it  flips  a  random  coin  b,  and  keeps  the  bit  b  to  itself  as  well.  Define  four  ordered  lists, 
X0,  F0,  X\.  Fi,  where  ( X(l ,  F0)  will  record  plaintexts  and  predicates  queried  by  the  adver¬ 
sary  in  World  0,  and  (A1;  Ff)  will  record  plaintexts  and  predicates  queried  by  the  adversary 
in  World  1.  Initially,  all  four  lists  are  empty. 

Query.  The  adversary  adaptively  makes  the  following  types  of  queries.  The  adversary  can  make 
up  to  a  polynomial  number  of  these  queries. 

•  Ciphertext  query.  The  adversary  specifies  two  plaintexts  x0,  x\  G  (0,  l}1  to  the  chal¬ 
lenger.  The  challenger  encrypts  xq  and  returns  the  ciphertext  to  the  adversary.  Append 
xq  to  the  list  X0,  and  x \  to  the  list  AT. 
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•  Token  query.  The  adversary  specifies  two  predicates  /0,  fi  <E  {0,  l}m  to  the  chal¬ 
lenger.  The  challenger  computes  a  token  for  the  predicate  /b,  and  gives  the  resulting 
token  to  the  adversary.  Append  /0  to  the  list  F0,  and  f\  to  the  list  F\ . 

All  queries  made  in  this  stage  should  be  indistinguishable  by  access  pattern.  In  other  words, 
at  the  end  of  the  game,  all  queries  made  should  satisfy  the  following  condition: 

ACCESSPATTERNpfo,  F0)  =  ACCESSPATTERN(Xi,  Fi) 

Guess.  The  adversary  outputs  a  guess  b'  of  the  bit  b.  Its  advantage  is  defined  as  Adv^  = 

|Pr[b'  =  b]~i|. 

5.3.2  Single  Challenge  Indistinguishability 

As  the  full  security  definition  is  hard  to  work  with  in  our  proofs,  we  define  another  security  notion 
called  Single  Challenge  Indistinguishability  (SCI)  security.  For  general  queries,  SCI  security  may 
be  considered  a  relaxed  version  of  the  full  security  definition,  as  stated  in  Proposition  |5]TTJ  How¬ 
ever,  we  show  in  Pronositionl5.3.2lthat  for  the  specific  case  of  inner-product  queries,  SCI  security 
is  as  good  as  full  security  in  some  sense. 

Definition  5.3.4  (Single  Challenge  Indistinguishability  for  general  queries)  We  say  that  an  SK- 
PE  scheme  (for  general  queries )  is  SCI- secure  if  no  polynomial-time  adversary  has  more  than 
negligible  advantage  in  winning  the  following  game: 

Setup.  The  challenger  runs  the  Setup  algorithm,  and  retains  the  secret  key  MSK  to  itself. 

Query.  The  adversary  adaptively  makes  the  following  types  of  queries: 

•  Ciphertext  query.  The  adversary  specifies  a  plaintext  x  G  (0, 1 Y  to  the  challenger. 
The  challenger  encrypts  x  and  returns  the  ciphertext  to  the  adversary. 

•  Token  query.  The  adversary  specifies  a  predicate  /  to  the  challenger.  The  challenger 
computes  a  token  for  the  predicate  /,  and  gives  the  result  to  the  adversary. 

Challenge.  The  adversary  requests  a  challenge.  The  adversary  first  specifies  a  bit  T  to  the 
challenger. 

•  If  T  =  0,  the  challenge  is  a  ciphertext  challenge.  The  adversary  then  sends  two  plain¬ 
texts  ( xq ,  x  i )  to  the  challenger,  satisfying  the  following  constraint: 

Let  /i,  f2  •  •  • ,  fqo  denote  previously  queried  predicates. 

VI  <  i  <  q0  ■  fi(x 0)  =  fi(x i)  (5.1) 

The  challenger  flips  a  random  coin  b,  encrypts  xb,  and  returns  the  ciphertext  to  the 
adversary. 

•  If  T  =  1,  the  challenge  is  a  token  challenge.  The  adversary  then  sends  two  predicates 
(/o,  fi)  to  the  challenger,  satisfying  the  following  constraint: 
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Let  xi,  x2  ■  ■ . ,  xqi  denote  plaintexts  that  the  adversary  has  asked  the  challenger  to 
encrypt  in  previous  ciphertext  queries. 

VI  <  i  <  qi  :  f0(xi)  =  /i(x*)  (5.2) 

The  challenger  flips  a  random  coin  b,  computes  a  token  TKyb  for  /b,  and  returns  TK  /b 
to  the  adversary. 

More  queries.  The  adversary  makes  more  queries  as  in  the  Query  phase.  If  the  adversary  has 
previously  issued  a  ciphertext  challenge,  all  token  queries  made  in  this  state  must  satisfy 
Equation  ED-  Otherwise,  if  the  adversary  has  previously  submitted  a  token  challenge,  all 
ciphertext  queries  made  in  this  stage  must  satisfy  Equation  dO). 

Guess.  The  adversary  outputs  a  guess  b'  of  the  bit  b.  Its  advantage  is  defined  as  Adv^  = 
|Pr[b'  =  b]  -i|. 


5.3.3  Selective  Single  Challenge  Indistinguishability 


We  now  define  a  relaxed  notion  of  security  called  Selective  Single  Challenge  Indistinguishability, 
or  selective  SCI  for  short.  Selective  security  has  been  adopted  widely  in  the  study  of  Identity- 
Based  Encrytion  (IBE),  Anonymous  Identity-Based  Encryption,  Attribute-based  Encryption,  and 


Public-key  Predicate  Encryption  schemes  [3,  JJt  llj,  UJ,  |15|,  35].  In  a  selective  SCI  game,  the 


adversary  commits  to  the  challenge  at  the  very  beginning  of  the  security  game,  and  the  rest  of  the 
game  proceeds  in  the  same  way  as  the  SCI  security  game  as  described  in  Definitionl5.3.4l 
Definition  5.3.5  (Selective  SCI  security)  We  say  that  an  SK-PE  scheme  is  selectively  SCI-secure 
if  no  polynomial-time  adversary  has  more  than  negligible  advantage  in  winning  the  following 
game: 


Init.  The  adversary  submits  a  challenge  to  the  challenger.  Like  before,  the  challenge  is  composed 
of  a  bit  T  indicating  whether  this  is  a  ciphertext  challenge  or  a  token  challenge;  followed 
by  two  plaintexts  (a^ar)  (in  the  case  of  a  ciphertext  challenge),  or  two  query  predicates 
(/o,  /i)  (in  the  case  of  a  token  challenge). 


Setup.  The  challenger  runs  the  Setup  algorithm,  and  retains  the  secret  key  MSK  to  itself. 


Query.  The  adversary  adaptively  makes  either  ciphertext  queries  or  token  queries,  and  the  chal¬ 
lenger  responds  to  the  queries  accordingly.  If  the  adversary  has  previously  issued  a  ciphertext 
challenge,  all  token  queries  made  in  this  stage  must  satisfy  Equation  (15.11).  Otherwise,  if  the 
adversary  has  previously  submitted  a  token  challenge,  all  ciphertext  queries  made  in  this 
stage  must  satisfy  Equation  (15.21). 


Challenge.  The  challenger  flips  a  random  coin  b,  and  returns  either  an  encryption  of  xb,  or  a 
token  for  the  predicate  fb  depending  on  the  type  of  challenge  specified  by  the  adversary  in 
the  Init  stage. 


More  queries.  The  adversary  makes  more  queries  as  in  the  Query  phase.  If  the  adversary  has 
previously  issued  a  ciphertext  challenge,  all  token  queries  made  in  this  state  must  satisfy 
Equation  ED.  Otherwise,  if  the  adversary  has  previously  submitted  a  token  challenge,  all 
ciphertext  queries  made  in  this  stage  must  satisfy  Equation  (15.21). 
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Guess.  The  adversary  outputs  a  guess  b'  of  the  bit  b;  and  its  advantage  is  defined  as  Adv^  = 
|Pr[b'  =  b]  —  || . 

5.3.4  Relationship  Between  Security  Definitions 

For  general  queries,  it  is  not  hard  to  see  that  full  security  implies  SCI  security.  Therefore,  we 
can  consider  SCI  security  as  a  relaxed  version  of  the  full  security  definition.  Interestingly,  we 
are  able  to  show  that  for  the  special  case  of  inner-product  queries,  given  a  scheme  satisfying  SCI 
security  for  vectors  of  length  2 n,  we  can  construct  a  fully-secure  scheme  for  vectors  of  length  n. 
We  refer  the  readers  to  Pro po s i  t  i o n  15.3.21  for  a  more  formal  statement  and  proof  of  this  observation. 
Proposition |53]2l tells  us  that  to  construct  a  fully-secure  SK-PE  scheme  on  inner-product  queries, 
it  suffices  to  construct  a  scheme  satisfying  SCI  security. 

Proposition  5.3.1  If  an  SK-PE  scheme  (for  general  queries )  is  fully-secure,  it  must  be  SCI- secure. 

Proof:  (sketch.)  Notice  that  an  SCI  adversary  is  a  special  case  of  an  adversary  in  the  full-security 
game.  In  the  full-security  game,  suppose  that  in  all  but  one  query,  the  adversary  submits  two  equal 
plaintexts  (or  queries),  i.e.,  x0  =  x\  (or  50  =  <5i),  then  the  adversary  is  in  fact  an  SCI  adversary.  ■ 

In  the  special  case  of  inner-product  queries,  SCI  security  is  “as  good  as”  full  security,  and  the 
following  proposition  explains  why. 

Proposition  5.3.2  Let  SCHEME2n  denote  an  SCI- secure  SK-PE  scheme  supporting  inner-product 
queries,  where  both  plaintext  and  query  vectors  have  length  2 n  (i.e.,  plaintext  and  query  vectors 
are  picked  from  E2n).  Given  SCHEME2n,  it  is  possible  to  construct  a  fully-secure  SK-PE  scheme 
supporting  inner-product  queries,  where  both  the  plaintext  and  query  vectors  have  length  n.  We 
refer  to  the  latter  scheme  as  SCHEMEn. 

While  the  detailed  proof  of  the  above  proposition  is  provided  in  Section  l5~8l  we  explain  the  intu¬ 
ition  here.  In  the  full  security  game,  the  challenger  constructs  ciphertexts  and  tokens  for  different 
vectors  in  World  0  and  World  1.  Suppose  that  the  challenger  encrypts  vectors  X  =  (xi, . . . ,  xc) 
and  constructs  tokens  for  vectors  V  =  (y\ .....  vt)  in  World  0;  the  challenger  encrypts  vectors 
Y  =  (jji, ...  ,yc)  and  constructs  tokens  for  vectors  W  =  (wi, . . . ,  wt)  in  World  1.  It  is  required  that 
the  access  pattern  remains  the  same  between  these  two  worlds,  that  is,  AccessPattern  ( X ,  V)  = 
AccessPattern(Y,  W). 

If  we  could  define  a  sequence  of  hybrid  games  in  between  World  0  and  World  1,  such  that 
only  one  component  (one  ciphertext  or  one  token)  is  changed  between  any  two  consecutive  games, 
then  we  would  be  able  to  prove  full  security  using  SCI  security  plus  a  hybrid  argument.  By  the 
definition  of  SCI  security,  a  computationally-bounded  adversary  is  unable  to  distinguish  between 
two  games  where  only  one  component  differs  (as  long  as  these  two  worlds  have  the  same  access 
pattern).  Unfortunately,  we  cannot  naively  change  any  component  alone  in  World  0,  since  doing 
so  might  result  in  a  different  access  pattern.  For  example,  suppose  the  challenger  changed  from 
encrypting  xc  to  encrypting  yc  in  World  0,  then  this  might  cause  the  access  pattern  to  change  as 
well.  To  solve  this  problem,  we  propose  to  encrypt  the  vector  x  twice.  More  specifically,  to  encrypt 
x,  we  encrypt  the  length  2 n  vector 

x\\x  :=  (xi,x2,  ■  ■  .,xn,x1,x2,  ■  ■  ■  ,xn) 
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instead,  using  the  SCI-secure  construction  SCHEME2n.  Similarly,  to  construct  a  token  for  the  vector 
v,  we  construct  a  token  for  the  length  2 n  vector  v\  \v  instead.  In  this  way,  we  construct  SCHEMEn 
(for  vectors  of  length  n)  from  an  SCI-secure  SCHEME2n  (for  vectors  of  length  2 n).  As  Section  l5~~8l 
demonstrates,  this  allows  us  to  define  a  sequence  of  hybrid  games  where  only  one  component  is 
changed  between  any  two  consecutive  games.  Meanwhile,  the  access  pattern  is  preserved  across 
all  games.  See  Section l5~51for  the  detailed  proof  of  this  proposition. 

A  note  on  selective  SCI  security.  Our  construction  is  proven  secure  under  the  selective  SCI 
model.  One  way  to  interpret  the  strength  of  selective  SCI  security  is  as  follows.  We  have  explained 
that  selective  SCI  security  is  a  relaxation  of  SCI  security.  Meanwhile,  as  Proposition  15 .3 .2lpoints 
out,  SCI  security  is  “as  good  as”  full  security  for  inner-product  queries.  Therefore,  we  can  infor¬ 
mally  think  of  selective  SCI  security  as  a  relaxation  of  full  security  for  inner-product  queries.  The 
selective  security  model  has  frequently  been  adopted  in  prior  IBE,  ABE  and  predicate  encryption 
schemes.  We  emphasize  that  even  this  relaxed  security  model  is  better  than  the  definitions  pre¬ 
viously  adopted.  In  particular,  we  show  in  Section  15.91  that  given  an  SK-PE  scheme  for  vectors 
of  length  2 n  satisfying  selective  SCI  security,  one  can  construct  an  SK-PE  scheme  for  vectors  of 
length  n  whose  security  is  strictly  stronger  than  the  definition  previously  adopted  by  Curtmola 
et  al.  |fl9||.  Curtmola  et  al.  studied  SK-PE  for  keyword-based  queries,  and  proposed  one  possible 
formalization  of  query  privacy. 


5.4  Background  on  Pairings  and  Complexity  Assumptions 

5.4.1  Bilinear  groups  of  composite  order 

We  review  some  background  on  bilinear  maps  and  groups,  especially  groups  of  composite  order , 
which  were  first  introduced  by  Boneh,  Goh  and  Nissim  11  Kill. 

Let  GG  denote  a  group  generator  algorithm  which  takes  as  input  a  security  parameter  A  6  Z>0, 
a  number  k  e  Z>0,  and  outputs  a  tuple  (pi,p2,  ■  ■  -  Pk-,  G,  G t,  e)  where  pi,p2,  •  •  -Pk  are  k  distinct 
primes,  G  and  G T  are  two  cyclic  groups  of  order  n  =  nj'=1  Pi-  The  function  e  :  G2  — *  G t  satisfies 
the  following  properties: 

•  (Bilinear)  Vw,  v  e  G,  Va,  be  Z,  e(ua ,  vb )  =  e(u,  v)ab. 

•  (Non-degenerate)  3g  e  G  such  that  e(g,  g)  has  order  n  in  GT. 

We  assume  that  group  operations  in  G  and  GT  as  well  as  the  bilinear  map  e  can  be  computed  in 
time  polynomial  in  A.  We  use  the  notation  GPl,  GP2, . . . ,  GPk  to  denote  the  respective  subgroups 
of  order  pi, . . . ,  pk  of  G.  We  use  GPlP2,  GP2P5Pfc  to  denote  the  subgroups  of  order  pip2  and  p2p5pfc 
respectively.  For  example,  GPlP2  =  GPl  x  GP2 . 


5.4.2  Our  assumptions 


The  predicate-only  version  of  our  construction  relies  on  three  assumptions,  Assumption  1  in  the 
KSW  paper  [28],  the  generalized  3-party  Diffie-Hellman  assumption  (C3DH),  and  the  Decisional 
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Linear  (DL)  assumption.  All  of  these  assumptions  involves  at  most  3  subgroups  simultaneously. 
In  particular,  Assumption  1  involves  3  subgroups,  C3DH  involves  2  subgroups,  and  DL  involves 
1  subgroup  simultaneously.  We  assume  that  these  assumptions  still  hold  when  the  relevant  sub¬ 
group^)  fall  within  a  larger  group  whose  order  is  the  product  of  4  distinct  primes,  N  =  pqrr. 
Moreover,  the  naming  of  the  subgroups  is  not  significant  in  our  assumptions,  that  is,  the  same 
assumptions  still  hold  after  renaming  the  subgroups. 


Assumption  1  of  KSW  jjjl.  Our  scheme  is  built  on  top  of  the  KSW  construction  lEsIl.  As  a 
result,  we  inherit  their  complexity  assumptions  as  well.  In  particular,  the  predicate-only  version 
relies  on  Assumption  1  of  the  KSW  construction. 

We  assume  that  this  assumption  holds  when  Gp  x  Gq  x  Gr  belongs  to  a  larger  group  of  order 
N  =  pqrr]  and  below,  we  restate  it  in  the  context  of  the  larger  group. 

Assumption  1  posits  that  any  polynomial-time  adversary  has  a  negligible  advantage  in  the 
following  experiment:  Let  N  =  pqrr,  let  gp,  gq,  gr,  gr  be  random  generators  of  Gp,  Gq,  Gr,  G? 
respectively.  Pick  the  following  numbers  at  random:  Qu  Q2,  Q 3  G  Gq,  R\ .  R2,  R3  G  Gr,  a,  b,  s  G 
Zp,  and  a  random  bit  b.  Give  the  adversary  the  description  of  the  bilinear  group  (TV,  G,  Gr  -  e),  and 
the  following  set  of  values: 


'5  ^y9pi  9ri  9ri  9qR\i  9p 


9p, 


9p9q , 


qab 

yp 


Q 


1  j 


9SV, 


9pQ2R 5 


(5.3) 


In  addition,  if  b  =  0,  the  adversary  is  given  the  value  T  =  gbpsR3,  otherwise,  if  b  =  1,  the 
adversary  is  given  the  value  T  =  ghpsQ3R3.  The  adversary  outputs  a  guess  b'  of  the  bit  b,  and  its 
advantage  is  defined  as 


Adv^  = 


Pr[b' 


b] 


1 

2 


Assumption  1  states  that  no  polynomial-time  adversary  can  win  this  game  with  more  than  negligi¬ 
ble  advantage.  Note  that  this  assumption  implies  the  hardness  of  factoring  N. 


Generalized  3-party  Diffie-Hellman  assumption  (C3DH).  We  also  rely  on  the  composite  3- 
party  Diffie-Hellman  assumption  first  introduced  by  Boneh  and  Waters  B12I].  We  restate  the  as¬ 
sumption  in  the  context  of  a  bilinear  group  whose  order  is  the  product  of  four  distinct  primes 

N  =  pqrr'. 

Let  gp,  gq,  gr,dr  denote  random  generators  from  the  subgroups  Gp,  Gq,  Gr,  Gf.  respectively. 
Let  Ri,  R2,  R:\  denote  random  elements  from  the  subgroup  Gr,  let  a ,  b,  c  denote  random  exponents 
from  Z,y.  Now  a  challenger  gives  an  adversary  the  following  values: 

{gP,  gq,  9r,9r,  g°pi  gbp ,  gpb  ■  Ri,  gpbc  ■  R2) 

The  challenger  also  flips  a  random  coin  b,  and  depending  on  the  value  of  b,  the  challenger  gives 
the  adversary  either  the  value  gp  ■  R3  or  a  random  element  from  the  subgroup  Gpr.  The  adversary’s 
task  is  to  output  a  guess  b'  of  the  bit  b,  and  its  advantage  is  defined  as  Adv.4  =  |Pr[b;  =  b]  —  || . 

The  C3DH  assumption  posits  that  for  any  polynomial  time  algorithm  A,  its  advantage  in  the 
C3DH  experiment  is  a  negligible  function.  Note  that  this  assumption  implies  the  hardness  of 
factoring  N. 
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Decisional  Linear  assumption  (DL).  We  also  rely  on  the  Decisional  Linear  assumption  first 
used  by  Boneh,  Boyen  and  Shacham  for  group  signatures  [H].  Below  we  restate  the  assumption  in 
the  context  of  a  larger  group  whose  order  is  the  product  of  four  distinct  primes  N  =  pqrr. 

Let  Gp  denote  the  subgroup  of  order  p  in  a  bilinear  group  G  of  order  N  =  pqrr.  The  adversary 
is  given 


i.9pi  9qy  9ri  9r,  9p 


9?,9?’a,9?z 4) 


where  z1,z2,z3,  z4  are  picked  at  random  from  Zp,  and  gp.  gq.  gr,  Tjf  are  random  generators  of  the 
subgroups  Gq,  Gr  and  Gf  respectively.  In  addition,  the  adversary  is  given  either  Z  =  gp3+z 4, 
or  a  random  element  from  Gp.  The  adversary’s  task  is  to  distinguish  between  these  two  cases. 

The  Decisional  Linear  assumption  posits  that  no  polynomial-time  adversary  has  more  than 
negligible  advantage  in  the  above  experiment. 


5.5  Construction 

In  this  section,  we  propose  an  SK-PE  construction  for  inner-product  queries.  A  plaintext  x  is  a 
vector  drawn  from  Z^.  A  query  predicate  represented  as  v  is  also  drawn  from  Z^.  A  predicate 
vector  v  specifies  the  following  predicate  function: 

if  (x,  v)  —  0 

otherwise 


5.5.1  Intuition 


Recall  that  our  goal  is  to  construct  a  scheme  supporting  inner-product  queries  in  the  secret-key 
setting.  Furthermore,  we  aim  to  achieve  both  plaintext  and  query  privacy.  As  the  KSW  construc¬ 
tion  [28]  already  provides  a  solution  for  inner-product  queries  in  the  public-key  setting,  our  first 
attempt  is  to  directly  use  the  KSW  construction.  We  can  conveniently  convert  the  KSW  construc¬ 
tion  to  the  secret-key  setting,  simply  by  withholding  the  public-key.  This  approach  immediately 
ensures  plaintext  privacy  as  proven  in  the  KSW  paper.  Unfortunately,  the  KSW  construction  does 
not  provide  any  guarantee  about  query  privacy;  in  fact,  as  we  point  out  in  Section l5Tl  query  pri¬ 
vacy  is  not  possible  in  the  public-key  setting.  Therefore,  it  seems  that  our  biggest  challenge  is  how 
to  achieve  query  privacy.  We  now  explain  how  we  can  rely  on  the  symmetry  observation  to  address 
this  challenge. 

Observe  that  the  ciphertext  and  the  token  are  completely  symmetric.  In  terms  of  functionality, 
both  the  plaintext  and  query  are  vectors  of  length  n\  meanwhile,  the  inner-product  equation  is 
commutative.  In  terms  of  security  definitions,  the  ciphertext  and  the  token  are  symmetric  as  well. 
The  ciphertext  needs  to  hide  the  plaintext  vector,  while  the  token  needs  to  hide  the  query  vector. 
One  way  to  interpret  the  symmetry  is  to  think  of  the  ciphertext  as  an  encryption  of  the  plaintext 
vector,  and  think  of  the  token  as  an  encryption  of  the  query  vector.  In  fact,  under  the  definitions 
given  in  Section l5~3l  we  can  safely  reverse  the  role  of  a  ciphertext  and  a  token.  In  other  words,  we 
can  have  tokens  serve  as  ciphertexts,  and  ciphertexts  serve  as  tokens. 
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This  symmetry  observation  gives  rise  to  the  following  idea:  what  if  we  construct  a  scheme 
where  the  ciphertexts  and  tokens  are  symmetrically  formed?  This  can  make  life  much  simpler  for 
us,  since  if  we  are  able  to  prove  plaintext  privacy,  we  will  obtain  query  privacy  for  free.  Due  to  the 
symmetry  in  formation,  the  same  argument  we  use  to  prove  plaintext  privacy  can  be  used  to  prove 
query  privacy  as  well.  In  our  construction,  the  ciphertext  and  the  token  are  not  exactly  symmetric 
by  formation,  however,  we  prove  that  ciphertext  and  tokens  are,  in  fact,  computationally  indistin¬ 
guishable  from  being  symmetric.  In  other  words,  a  computationally-bounded  adversary  is  unable 
to  distinguish  our  scheme  from  another  scheme  (called  SCHEMES  YM  in  the  proof)  where  the  ci¬ 
phertext  and  the  token  are  symmetric  by  distribution.  We  henceforth  refer  to  this  as  computational 
symmetry. 

We  now  present  our  main  construction,  and  then,  in  Sectionl5.5.3l  we  explain  at  the  algebraic 
level:  (1)  why  our  construction  has  computational  symmetry,  and  (2)  how  to  understand  the  differ¬ 
ences  between  our  construction  and  KSW,  and  why  these  differences  are  important  to  ensure  query 
privacy. 

5.5.2  Detailed  construction 

We  now  present  our  main  construction. 

Setup(lx):  The  setup  algorithm  first  chooses  random  large  primes  p,  q.  r,  r,  and  creates  a  bilinear 
group  of  composite  order  N  =  pqrr.  Next  it  picks  generators  gp.  gq,  gr,  gr  from  subgroups 
Gp,  Gq,  Gr,  Gf  respectively.  It  then  picks  hi^,  h2g,  hig,  h2g  from  Gp,  for  all  1  <  i  <  n. 

The  secret  key  is  set  to  the  following: 


Encrypt  {VASK,  x)\  Let  x  =  (x\ ,x2,...,xn)  G  (ZN)n.  The  encryption  algorithm  first  picks 
random  exponents  s,  t,  a,  (3  from  Zjy.  Then,  it  chooses  random  hiding  factors  /i'q .  R®  from 
the  subgroup  Gp;  and  random  {Rig,  R2p}™=1  from  Gr. 

Next,  the  encryption  algorithm  computes  the  following  ciphertext: 


CT 


GenToken( MSK,  v):  Let  v  =  (vi,  v2, . . . ,  vn )  G  (Zjv)n.  The  GenToken  algorithm  picks  random 
exponents  /i,  /2,  { r  i ,  r2 ,i}”=1  from  ZN.  Then,  it  chooses  random  hiding  factors  R0,  R®  from 


the  subgroup  Gr;  and  random  { R \ ,  R2i\™=l  from  Gp. 

Next,  the  GenToken  algorithm  computes  the  following  token: 


TK 
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Query  (T Kp,  CT^):  The  Query  algorithm  behaves  in  a  way  similar  to  the  KSW  Q  construction. 
It  computes 

n 

e(Co,  K0)e(C9,  AT0)  •  J]  e(C'1)i,  AM)e(C2)i,  AT2>i)  =  1  (5.4) 

2=1 

and  outputs  0  iff  the  above  is  equal  to  1,  indicating  that  (x,v)  =  0  mod  N.  (The  case  that 
(x,v)  =0  mod  q,  but  (x.  v)  ^  0  mod  N  happens  with  negligible  probability  as  explained 
in  Section  l5~6l) 


5.5.3  How  to  understand  our  construction 

Computational  symmetry.  As  mentioned  in  Section  15.5.11  the  ciphertexts  and  tokens  in  our 
construction  are  computationally  symmetric.  To  understand  our  computational  symmetry  idea,  it 
helps  to  observe  the  following  facts  when  inspecting  our  construction.  (1)  The  Gq  subgroup  is 
completely  symmetric.  In  the  ciphertext,  the  Gq  subgroup  encodes  the  plaintext  vector,  while  in 
the  token,  the  Gq  subgroup  encodes  the  query  vector.  (2)  The  Gr  subgroup  and  the  Gp  subgroups 
behave  as  mirrors  of  each  other.  Whenever  an  element  from  Gr  appears  in  the  ciphertext,  an 
element  from  Gp  appears  in  the  corresponding  term  in  the  token,  and  vice  versa.  (3)  The  Gp 
subgroup  is  not  completely  symmetric  in  the  ciphertext  and  the  token,  however,  we  later  prove  that 
the  Gp  subgroup  appears  to  be  symmetric  to  a  computationally-bounded  adversary. 


Comparison  with  the  KSW  construction.  Since  KSW  already  proved  plaintext  privacy  for 
inner-product  queries  in  the  public-key  setting,  we  tried  to  build  a  construction  resembling  KSW, 
in  hope  of  reusing  their  proof  (or  proof  techniques)  on  plaintext  privacy.  To  aid  the  understanding 
of  our  construction,  we  provide  a  review  of  the  KSW  construction  in  Sectionl5.101 

What  is  more  interesting  to  the  reader  might  be  the  differences  between  our  construction  and 
the  KSW  construction.  In  fact,  a  good  way  to  understand  our  scheme  is  to  compare  it  with  the 
KSW  construction.  We  now  explain  the  important  differences  from  the  KSW  construction  that  are 
crucial  in  achieving  query  privacy. 

•  The  Gr  subgroup.  The  KSW  construction  relies  on  3  subgroups,  Gp,  Gq  and  Gr.  We  introduce 
an  additional  subgroup  Gp,  whose  order  r  is  a  large  prime  distinct  from  p.  q  and  r.  The  most 
important  functionality  of  the  subgroup  Gp  is  to  serve  as  random  hiding  factors  for  most  terms 
in  the  token.  Intuitively,  these  random  hiding  factors  can  hide  the  query  vector  encoded  in  the 
token,  thereby  achieving  query  privacy.  The  behavior  of  the  Gp  subgroup  “mirrors”  that  of  the 
Gr  subgroup.  Consequently,  the  Gp  also  helps  to  introduce  symmetry  into  our  construction. 

•  The  Gp  subgroup.  In  the  KSW  construction,  all  terms  in  the  ciphertext  have  the  same  exponent 
s  in  the  Gp  subgroup.  By  contrast,  we  introduce  an  extra  degree  of  randomness  represented  by 
the  exponent  t.  Terms  in  the  ciphertext  now  rely  on  two  degrees  of  randomness,  namely,  s  and 
t,  in  the  Gp  subgroup.  Informally,  this  change  is  due  to  the  observation  that  the  Gp  subgroup  is 
asymmetric  in  the  ciphertext  and  the  token  by  formation.  Moreover,  having  only  one  degree  of 
randomness  (like  in  the  KSW  construction)  is  insufficient  to  ensure  “computational  symmetry” 


95 


in  the  Gp  subgroup.  However,  if  we  increase  the  degree  of  randomness  to  two,  then  we  can  show 
that  the  Gp  subgroup  is  computationally  symmetric  in  the  ciphertext  and  the  token. 

To  understand  why  this  is  the  case,  recall  that  Diffie-Hellman  is  easy  in  bilinear  groups.  Another 
interpretation  of  this  statement  is  that  if  we  pick  a  vector  g"1,  gp2, . . . ,  gpk,  it  is  easy  to  decide 
whether  the  exponent  vector  (a1;  a2. . . . ,  af)  are  picked  independently  at  random,  or  picked 
from  a  prescribed  one-dimensional  subspace.  On  the  other  hand,  an  informal  interpretation 
of  the  Decisional  Linear  assumption  tells  us  that  it  is  computationally  hard  to  decide  whether 
the  exponent  vector  (a1:  a2, . . . ,  Ok)  are  picked  independently  at  random,  or  picked  randomly 
from  a  prescribed  2-dimensional  subspace.  The  reason  for  introducing  the  extra  randomness  t 
in  the  ciphertext  is  exactly  to  ensure  that  the  exponents  in  the  Gv  subgroup  are  picked  from  a 
2-dimensional  subspace,  rather  than  a  1-dimensional  subspace.  This  is  why  our  construction  has 
computational  symmetry  in  the  Gp  subgroup. 

•  The  Q  element  in  K.  The  careful  reader  may  have  noticed  that  in  the  original  KSW  construction, 
the  first  term  in  the  token  K  has  a  0  e  Gq  element.  This  0  element,  however,  has  disappeared 
from  the  K0  and  K(>,  terms  in  our  construction.  (Notice  that  the  analog  of  KSW’s  K  term  is  K0 
and  K$  in  our  construction.  The  extra  K$  term  results  from  introducing  the  extra  randomness  t 
into  the  ciphertext.  )  The  Q  term  seems  indispensable  in  the  KSW  construction  if  one  carefully 
examines  their  proof.  Consequently,  the  fact  that  we  can  remove  the  Q  term  may  seem  counter¬ 
intuitive  at  first.  However,  we  are  able  to  show  that  whether  K0  and  Kq  terms  contain  an  element 
from  the  Gq  subgroup  is  computationally  indistinguishable  to  a  polynomial-time  adversary.  It 
turns  out  that  the  ability  to  remove  the  Q  term  is  a  side  benefit  from  the  introduction  of  the  G,~ 
subgroup  into  the  tokens.  As  a  result,  our  proof  does  not  indicate  that  it  is  safe  to  remove  the  Q 
term  from  the  KSW  construction  as  well. 

Moreover,  the  ability  to  remove  the  Q  term  helps  to  introduce  symmetry  to  our  construction. 
Clearly,  in  the  KSW  construction,  the  Q  term  is  one  conspicuous  place  where  the  ciphertext  and 
the  token  do  not  mirror  each  other. 

5.5.4  Security  and  proof  overview 

Theorem  5.5.1  Under  the  generalized  Assumption  1  of  the  KSW  construction  &  the  general¬ 
ized  C3DH  assumption,  and  the  Decisional  Linear  assumption,  our  main  construction  (Section\5.5\> 
is  selectively  SCI-secure  against  polynomial-time  adversaries. 

We  now  give  an  overview  of  our  security  proof.  Apart  from  this  section,  Section  15.5.11  also 
sheds  light  on  the  intuition  behind  our  construction  and  proofs. 

In  the  proof,  we  present  two  variants  of  the  main  construction,  SCHEMES  YM  and  SchemeQ. 
We  refer  to  our  main  construction  as  SchemeReal.  We  prove  that  SchemeReal  is  computa¬ 
tionally  indistinguishable  from  both  SCHEMES  YM  and  SchemeQ.  We  now  explain  the  motivation 
for  having  the  two  variants  Schemes  ym  and  SchemeQ. 

SchemeSym.  Recall  that  we  plan  to  use  computational  symmetry  in  our  construction  proof.  In 
particular,  if  ciphertexts  and  tokens  are  symmetrically  formed  in  our  construction,  we  will  only 
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need  to  prove  plaintext  privacy,  and  we  get  query  privacy  for  free.  The  same  argument  also  applies 
if  the  ciphertexts  and  tokens  are  not  symmetric  by  distribution,  but  computationally  symmetric. 
SCHEMES YM  is  exactly  the  variant  where  ciphertexts  and  tokens  are  symmetrically  formed  by 
distribution.  And  as  our  construction  is  computationally  indistinguishable  from  SCHEMES  YM,  it 
means  that  in  our  construction,  ciphertexts  and  tokens  are  computationally  symmetric. 

SCHEMEQ.  Now  we  have  proven  the  computational  symmetry  between  the  formation  of  the 
ciphertexts  and  tokens,  it  remains  to  prove  plaintext  privacy.  To  this  end,  we  would  like  to  reuse 
KSW’s  proof  on  plaintext  privacy.  If  our  construction  was  close  enough  to  the  KSW  construction, 
we  might  be  able  to  reuse  their  proof  as  a  blackbox,  without  having  to  re-invent  the  wheel.  We 
give  a  review  of  the  KSW  construction  in  Section  l5~Tol 

A  big  difference  between  our  construction  SchemeReal  and  the  KSW  construction  is  that 
to  ensure  the  symmetry  property,  we  have  removed  the  Gq  subgroup  from  the  K0  and  K 0  terms 
(which  correspond  to  the  K  term  in  the  KSW  construction)  in  the  token.  The  purpose  of  SchemeQ 
is  exactly  to  restore  the  missing  elements  Qq,  Q$  Gq  to  the  K0  and  K$  terms.  By  restoring  these 
elements,  we  obtain  a  scheme  that  bears  sufficient  resemblance  to  KSW,  such  that  we  can  reuse 
KSW’s  proof  as  a  blackbox.  Specifically,  we  show  that  if  an  adversary  can  break  the  plaintext 
privacy  of  SchemeQ,  we  can  leverage  that  adversary  to  break  the  plaintext  privacy  of  the  KSW 
construction  as  well.  In  addition,  as  our  main  construction  SchemeReal  is  computationally 
indistinguishable  from  SchemeQ,  the  plaintext  privacy  of  SchemeQ  immediately  carries  over  to 
SchemeReal. 

Another  perspective.  As  mentioned  above,  we  have  three  variants  in  the  proof,  our  main  con¬ 
struction  SchemeReal,  a  symmetric  construction  Schemes ym,  and  a  construction  with  the 
Q 0,  Qi!)  terms  restored  called  SchemeQ.  In  fact,  we  show  that  all  three  variants  are  computation¬ 
ally  indistinguishable  from  each  other.  This  means  that  the  properties  we  prove  on  one  variant 
automatically  carry  over  to  the  other  two  variants.  In  fact,  all  three  variants  have  symmetric  or 
computationally  symmetric  ciphertexts  and  tokens;  and  all  three  variants  have  plaintext  privacy. 
As  a  result,  all  three  variants  have  query  privacy  as  well.  This  also  suggests  that  any  of  these  three 
schemes  can  be  our  main  construction.  The  reason  why  we  chose  SchemeReal  to  be  our  main 
construction  is  merely  due  to  the  fact  that  SchemeReal  is  easier  to  express  and  slightly  faster  to 
compute  than  the  other  two  variants. 

An  alternative  way  to  interpret  our  proof  is  as  follows.  Suppose  that  we  used  SCHEMES  YM  as 
our  main  construction  instead.  Our  goal  is  to  prove  that  SCHEMES  YM  has  both  plaintext  and  query 
privacy.  As  ciphertexts  and  tokens  are  symmetric  by  distribution  in  SCHEMES  YM,  it  suffices  to 
prove  plaintext  privacy  of  SCHEMES  YM.  And  to  prove  the  plaintext  privacy  of  SCHEMES  YM,  we 
show  that  SCHEMES  YM  is  computationally  indistinguishable  from  SchemeQ,  and  that  SchemeQ 
has  plaintext  privacy.  However,  to  show  that  SchemeSym  is  computationally  indistinguishable 
from  SchemeQ,  we  need  to  introduce  an  intermediate  step:  first,  show  that  SchemeSym  is 
computationally  indistinguishable  from  SchemeReal;  then,  show  that  SchemeReal  is  compu¬ 
tationally  indistinguishable  from  SchemeQ. 

We  defer  the  detailed  proof  of  Theorem  15 .5 .llto  Section l5~7l 
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5.6  Correctness 


The  correctness  of  the  above  construction  relies  on  the  following  facts,  which  tells  us  that  no 
cross-subgroup  interaction  happens  when  we  perform  a  pairing  operation  on  two  group  elements. 
Although  the  following  facts  are  stated  using  the  notations  Gp  and  G9,  they  also  apply  to  general 
composite-order  bilinear  groups. 

Fact  5.6.1  Let  ap  G  Gp,  bq  G  Gn  denote  two  elements  from  distinct  subgroups.  Then  e(ap.:  bq)  =  1. 

From  Factl5.6.l1and  the  bilinear  property  of  the  pairing  function  e,  we  can  derive  the  following 
fact. 

Fact  5.6.2  Let  Gpq  =  Gp  x  Gq,  a,b  G  Gpq.  a  and  b  can  be  rewritten  ( uniquely )  as  a  =  apaq, 
b  =  bpbq,  where  ap,  bq  G  Gp,  and  aq,  bq  G  G9.  Furthermore, 

e(a,  b)  =  e(ap,bp)e(aq,bq) 

In  plain  English,  this  means  that  when  we  perform  a  pairing  operation  on  a  and  b,  there  is  no  cross¬ 
subgroup  interaction.  It  is  equivalent  to  performing  a  pairing  inside  each  subgroup  and  multiplying 
the  results  together. 

Now  we  can  check  the  correctness  of  the  Query  algorithm.  It  is  not  hard  to  see  that  in  Equation 
dm  operations  in  the  subgroups  Gp,  Gr,  Gf  all  result  in  1  G  Gj\  Therefore,  we  only  need  to  focus 
on  the  subgroup  Gq;  and  the  outcome  of  Equation  (15.41)  is: 

Therefore,  if  (x,  v)  —  0  mod  N,  then  the  above  evaluates  to  1.  Otherwise,  if  (x,  v)  f  0  mod  N, 
there  are  two  cases:  (a)  (x,v)  =  0  mod  q.  This  case  reveals  a  non-trivial  factor  of  N,  and 
therefore,  happens  with  negligible  probability,  (b)  (x,  v)  f  0  mod  q.  In  this  case,  except  with 
negligible  probability,  afi  +  (3f2  f  0  mod  q,  and  the  output  of  Equation  (15.41)  is  not  equal  to 

1  G  G  T- 


5.7  Security  Proof 

5.7.1  Terminology  used  in  the  proof 

We  now  prove  the  selective  SCI  security  (Definition  15.3.51)  of  our  construction.  To  do  this,  it 
suffices  to  prove  plaintext  privacy  and  query  privacy  separately. 

Definition  5.7.1  (Selective  plaintext  privacy)  An  adversary  plays  the  security  game  in  Defini- 
tion\5.3.5\with  a  challenger.  However,  the  adversary  submits  ciphertext  challenges  only.  An  SK-PE 
scheme  has  selective  plaintext  privacy,  iff  no  polynomial-time  adversary  can  win  the  security  game 
with  more  than  negligible  advantage. 

Definition  5.7.2  (Selective  query  privacy)  Selective  query  privacy  is  similarly  defined  as  selec¬ 
tive  plaintext  privacy,  except  that  now  the  adversary  can  only  submit  token  challenges  in  the  secu¬ 
rity  game. 
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It  is  not  hard  to  see  that  to  prove  selective  SCI  security,  it  suffices  to  prove  that  the  scheme  has 
both  selective  plaintext  privacy  and  selective  query  privacy,  as  stated  in  the  following  lemma. 
Lemma  5.7.3  An  SK-PE  scheme  that  has  both  selective  plaintext  privacy  and  selective  query  pri¬ 
vacy  is  selective  SCI-secure. 

In  the  proof,  we  often  need  modifications  to  our  main  construction,  and  show  that  the  result¬ 
ing  encryption  scheme  is  computationally  indistinguishable  from  the  original  construction.  To 
prove  that  the  original  construction  has  a  certain  security  property,  it  suffices  to  prove  that  the  new 
scheme  has  that  security  property.  The  following  definition  formally  states  what  it  means  for  two 
encryption  schemes  to  be  computationally  indistinguishable. 

Definition  5.7.4  (Indistinguishability  of  encryption  schemes)  We  say  that  two  SK-PE  encryp¬ 
tion  schemes  SCHEMEA  and  SCHEMEB  are  computationally  indistinguishable  from  each  other,  if 
no  polynomial-time  adversary  has  more  than  negligible  advantage  in  winning  the  following  distin¬ 
guishing  game: 

•  Setup.  The  challenger  flips  a  random  coin  b.  If  b  =  1,  SchemeA  is  chosen;  otherwise, 
SchemeB  is  chosen.  Now  the  challenger  runs  the  setup  algorithm  of  the  chosen  scheme, 
and  retains  the  secret  key  MSK  to  itself. 

•  Queries.  The  adversary  adaptively  makes  ciphertext  queries  and  token  queries.  In  other 
words,  the  adversary  can  request  that  the  challenger  reveal  an  encryption  of  a  plaintext  x  of 
its  choice  or  request  that  the  challenger  reveal  a  token  for  v  of  its  choice.  The  challenger 
computes  the  requested  ciphertext  (token)  according  to  SchemeA  or  SchemeB  depending 
on  which  one  has  been  chosen. 

•  Guess.  At  the  end  of  the  distinguishing  game,  the  adversary  guesses  which  encryption 
scheme  has  been  chosen,  i.e.,  it  outputs  a  guess  V  of  the  bit  b  chosen  by  the  challenger. 
The  adversary’s  advantage  is  defined  as  Adv^  =  |Pr[b'  =  b]  —  ||. 

The  notion  of  computational  indistinguishability  between  two  encryption  schemes  will  be  use¬ 
ful  throughout  our  proofs,  as  to  prove  plaintext  privacy  (or  query  privacy)  of  SchemeI  ,  it  suffices 
to  prove  plaintext  privacy  (or  query  privacy)  of  its  counterpart  Scheme2  which  is  computationally 
indistinguishable  from  SchemeI.  This  is  formally  stated  in  the  proposition  below. 

Proposition  5.7.1  Let  SchemeI  and  SCHEME2  denote  two  SK-PE  schemes  that  are  computa¬ 
tionally  indistinguishable  from  each  other.  If  SCHEME  1  has  plaintext  privacy  (or  query  privacy), 
then  Scheme2  must  have  plaintext  privacy  (or  query  privacy)  as  well. 

Proof:  (sketch.)  Suppose  for  the  purpose  of  a  contradition  that  SCHEME  1  has  plaintext  privacy,  but 
Scheme2  does  not  have  plaintext  privacy.  This  means  that  there  exists  a  polynomial-time  adver¬ 
sary  A  who  can  win  the  plaintext  privacy  game  (of  Scheme2)  with  non-negligible  probability  e. 
We  can  now  leverage  this  adversary  A  to  distinguish  SchemeI  and  Scheme2.  We  build  a  simu¬ 
lator  B.  When  given  an  encryption  scheme  Scheme,  B  can  decide  whether  Scheme  is  SchemeI 
or  SCHEME2  with  probability  at  least  el 2.  The  simulator’s  strategy  is  to  play  the  plaintext  privacy 
game  with  A,  and  if  A  wins  the  plaintext  privacy  game,  our  simulator  outputs  SCHEME2;  other¬ 
wise,  it  outputs  SchemeI.  This  contradicts  with  the  assumption  that  SchemeI  and  Scheme2 
are  computationally  indistinguishable.  ■ 
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5.7.2  Proof  overview 


The  proof  consists  of  two  parts. 

1 .  We  first  show  in  Sectionl5.7.3lthat  our  main  construction  (henceforth  referred  to  as  SCHEME- 
Real)  guarantees  selective  plaintext  privacy.  This  part  of  the  proof  is  done  in  two  steps. 
First,  we  show  that  SchemeReal  is  computationally  indistinguishable  from  a  variant  scheme 
called  SchemeQ.  Second,  we  show  that  SchemeQ  has  selective  plaintext  privacy.  More 
specifically,  SchemeQ  bears  enough  resemblance  to  the  KSW  construction  such  that  it  is 
possible  to  reuse  KSW’s  proof  on  plaintext  privacy  in  a  blackbox  fashion. 

2.  Next,  we  show  in  Sectionl5.7.4lthat  our  main  construction  is  computationally  indistinguish¬ 
able  from  an  alternative  scheme  (referred  to  as  SCHEMES  YM),  where  the  tokens  and  cipher- 
texts  are  symmetrically  formed.  As  SCHEMES  YM  and  SchemeReal  are  computationally 
indistinguishable,  it  suffices  to  prove  the  ciphertext  and  query  privacy  in  SCHEMES  YM. 

The  plaintext  privacy  of  Schemes  ym  follows  from  the  plaintext  privacy  of  SchemeReal. 
Since  tokens  and  ciphertexts  are  symmetrically  formed  in  SCHEMES  YM,  the  tokens  must  be 
secure  as  well  in  SCHEMES  YM. 

5.7.3  Plaintext  privacy  of  SchemeReal 

Lemma  5.7.5  (Selective  plaintext  privacy  of  SchemeReal)  Assuming  the  generalized  C3DH 
assumption  and  Assumption  1,  SchemeReal  has  selective  plaintext  privacy. 

We  know  that  the  KSW  construction  has  plaintext  privacy  (in  the  public  key  setting).  To  prove 
the  plaintext  privacy  of  our  construction,  SchemeReal,  first  observe  the  differences  between  our 
construction  and  the  KSW  construction. 

1 .  Our  construction  introduces  the  hi^,  Ji2,i  terms.  As  a  result,  we  need  one  extra  group  element 
for  both  the  ciphertext  and  token:  the  Q,  and  K  terms  in  KSW  become  Co,  Cq  and  K0,  Kq, 
in  our  construction. 

2.  Our  construction  removes  the  Gq  elements  from  the  K()  and  K$  terms  in  the  token.  (To 
compare,  observe  the  Qe  A  Gq  element  in  the  K  term  of  the  KSW  construction.) 

The  intuition  behind  the  following  proof  (of  Lemma  15.7.51)  is  to  show  that  these  modifications 
preserve  the  plaintext  privacy  of  the  KSW  construction. 

The  proof  of  Lemmal5.7.5lconsists  of  two  parts: 

1.  We  first  add  back  the  random  hiding  factors  from  Gq  to  the  K0  and  Kq,  terms  in  the  token. 
The  resulting  scheme  is  called  SchemeQ.  We  show  that  SchemeReal  and  SchemeQ  are 
computationally  indistinguishable. 

2.  We  prove  the  plaintext  privacy  of  SchemeQ.  The  proof  is  a  reduction  showing  that  if  there 
exists  a  polynomial-time  adversary  A  that  can  break  the  plaintext  privacy  of  SchemeQ,  we 
can  then  build  a  polynomial-time  simulator  B  that  leverages  the  adversary  A,  and  breaks  the 
plaintext  privacy  of  the  KSW  construction. 

Definition  5.7.6  (SchemeQ)  We  add  random  hiding  factors  from  the  Gq  subgroup  to  the  terms 
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K0  and  Jig  in  SchemeReal.  The  resulting  scheme  is  called  SchemeQ.  Below  is  a  formed  de¬ 
scription  of  SchemeQ. 

For  the  readers’  convenience,  in  the  expression  for  the  token  TK  below,  we  underline  the  parts 
where  SchemeQ  and  SchemeReal  differ. 

Setup(  1A):  Same  as  the  Setup  algorithm  of  SchemeReal. 

Encrypt( MSK,  x):  Same  as  the  Encrypt  algorithm  of  SchemeReal. 

GenToken( MSK,  v):  Let  v  =  (iq,  v2,  ■  ■  ■ ,  vn)  G  {ZN)n.  The  GenToken  algorithm  picks  random 
exponents  fi,  f2,  {ry^,  r2/i}".  ,  from  ZN.  Then,  it  chooses  random  hiding  factors  R0 ,  R%  from 
the  subgroup  Gr;  random  Q0,  0%  from  Gq;  and  random  {Ri^,  -R2,i}r=i  from  Gy 
Next,  the  GenToken  algorithm  computes  the  following  token: 


TK  = 


K,  =  Q,Rf  n’Li'hTG 


k* = fioflo  •  nr,i 

,j  =  gp1’1  gf1Vi Riti,  K2:i  =  gp2,t g^2Vi R2,i^  ^ 


QueryiTKj,  CT^):  Same  as  the  Query  algorithm  of  SchemeReal. 

To  reiterate,  the  underlined  parts  represent  the  places  where  SchemeQ  and  SchemeReal 
differ. 


Computational  indistinguishability  of  SchemeReal  and  SchemeQ 

To  show  that  SchemeReal  and  SchemeQ  are  computationally  indistinguishable,  we  further 
introduce  a  sequence  of  hybrid  schemes: 

SchemeReal  Scheme  1  =%  Scheme2  =%  Scheme3  iestofU£j2  SchemeQ 

In  the  above,  the  text  on  top  of  the  arrow  highlights  the  modification  we  make  to  the  former  scheme 
to  obtain  the  latter.  These  modifications  will  be  explained  in  detail  shortly  when  we  formally 
define  each  hybrid  scheme.  We  show  that  any  two  consecutive  scheme  in  the  above  sequence  are 
computationally  indistinguishable. 

Definition  5.7.7  (SCHEMEl)  We  first  make  slight  modifications  to  SchemeReal  and  obtain  a 
hybrid  scheme  called  SchemeI.  In  SchemeI,  instead  of  picking  independent  and  fresh  and  in¬ 
dependent  random  numbers  j\  and  f2for  each  token,  the  GenToken  algorithm  picks  j\  at  random, 
and  lets  f2  =  cufi,  where  to  is  a  random  number  in  Zy  chosen  during  the  Setup  stage;  and  is  kept 
secret  by  the  master  key  owner.  More  specifically,  we  formally  define  SchemeI  as  below: 

Setup(  1A):  Same  as  the  Setup  algorithm  of  SchemeReal,  except  that  now,  we  pick  an  addi¬ 
tional  random  number  uj  G  Zy,  and  add  it  to  the  secret  key.  In  the  mathematical  expressions 
below,  we  underline  the  parts  where  Scheme  1  differ  from  SchemeReal. 

^  1  gPt  dqi  dr-,  gri  {  h  l,j,  h2ti,  h h2j  } 
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Encrypt( MSK,  x):  Same  as  the  Encrypt  algorithm  of  SchemeReal. 

Gen Token( MSK,  v):  Instead  of  picking  /i,/2  €  Zjy  independently  at  random,  the  GenToken 
algorithm  picks  /  G  Z^v  at  random,  and  lets  /i  =  /,  and  /2  =  uf.  The  rest  of  the  GenToken 
algorithm  is  the  same  as  that  of  SchemeReal. 


TK  = 


Ko  =  R0  •  mu  K»  =  R«  •  mu 

K\,i  =  9^  d{Vi  R\,ii  R‘2,i  =  9p2''  9q^ViR2,i 


i=l 


Query( TK#,  CT#):  Same  as  the  Query  algorithm  in  SchemeReal. 

Claim  5.7.8  (Computational  indistinguishability  of  SchemeReal  and  SchemeI)  Under  the 
generalized  C3DH  assumption,  SCHEMEl  is  computationally  indistinguishable  from  SCHEME- 
REAL. 

Proof:  We  can  prove  this  claim  based  on  the  generalized  C3DH  assumption  and  a  hybrid  argu¬ 
ment.  Intuitively,  Claim l5T7~8l relie s  on  the  following  observation. 

Observation  5.7.1  ((-C3DH  )  Define  the  following  distribution: 


Ui,U2,  ...,Ug 


qi 


i o  < — 

Ri, ,  Rg,  Ri, ... ,  Rg,  Ri, . . . ,  Rg  <—  Gf, 
Ql,  Q21  ■  ■  ■  1  Qi  Gg 

Suppose  an  adversary  is  given  the  generators  of  each  subgroup: 


9 pi  9qi  9ri  9r 

Let  b  denote  a  random  coin  flip.  If  b  =  0,  the  adversary  is  given  the  tuple 

(uiRi, . . . ,  ugRg,  u1R1,...,utRt) 
if  b  =  1,  the  adversary  is  given  the  tuple 

(uiRi,  ■  ■  ■  1  ugRg,  Q1R1, . . . ,  QgRf) 

Suppose  the  adversary  outputs  a  guess  W  of  b.  Denote  the  adversary’s  advantage  as  Adv^  := 

| Pr [b7  =  b]  —  || .  Then  no  polynomial-time  adversary  can  win  this  I-C3DH  game  with  more  than 
negligible  advantage. 

This  observation  can  be  proven  through  the  generalized  C3DH  assumption  and  a  simple  hybrid 
argument.  Shi  et  al.  [37]  also  used  the  AC3DH  assumption  as  an  intermediate  assumption  in  their 
proofs. 

It  is  not  hard  to  see  that  the  above  observation  leads  to  Claim  15.7.81  The  proof  can  be  done 
through  a  simple  reduction  argument.  Basically,  if  there  exists  an  adversary  that  can  distinguish 
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between  SchemeReal  and  Scheme  1,  we  can  leverage  that  adversary  to  build  a  simulator  B  that 
can  win  the  above  £-C3DH  game.  The  simulator  B  is  randomly  given  one  of  the  following  two 
tuples: 

(uiR\, . . . ,  ugRg,  U\  =  u^Ri, . . .  ,Ue  =  vtfRf) 

or 

(uiRi, . . . ,  ugRg,  U\  =  Q1R1,  ...,Ue  =  QgRg) 

Now  the  simulator  tries  to  determine  which  case  it  is. 

The  simulator  leverages  a  distinguishing  adversary  A  that  tries  to  distinguish  SchemeReal 
and  SchemeI.  Suppose  that  the  adversary  makes  i  token  queries. 

In  the  setup  phase  of  the  game,  the  simulator  generates  the  secret  key  (without  the  uj  term)  and 
retains  the  secret  key  to  itself.  Clearly,  the  simulator  can  successfully  generate  secret  key  given  the 
generators  of  the  different  subgroups. 

In  answer  to  the  jth  token  query,  simulator  uses  the  terms  UjRj  and  Uj  from  the  (-C3DH 
instance  to  build  the  following  token: 


--riAT-r2,i 


TK  = 


= «» ■  n:„  k,  =  r,  ■  n”=i 


Khi  =  K2,i  =  <g"U]‘R%i 


i= 1 


Clearly,  if  b  =  0,  then  the  tokens  are  formed  as  in  SchemeI;  if  b  =  1,  the  tokens  are  formed  as  in 
SchemeReal. 

If  A  outputs  a  guess  of  SchemeI,  the  simulator  outputs  a  guess  b'  =  0;  if  A  outputs  a  guess 
of  SchemeReal,  the  simulator  outputs  a  guess  of  b'  =  1.  In  this  way,  if  A  has  e  advantage  in 
distinguishing  SchemeReal  and  SchemeI,  the  simulator  will  have  e  in  winning  the  £-C3DH 
game.  ■ 


Remark  5.7.1  To  prove  computational  indistinguishability  between  SchemeReal  and  SchemeI, 
we  rely  on  the  Gf.  subgroup.  This  means  that  our  proof  that  SCHEMEREAL  is  computationally  in¬ 
distinguishable  from  SchemeQ  relies  on  the  G-r  subgroup.  Therefore,  although  we  are  able  to 
computationally  remove  the  Gq  subgroup  from  the  K0  and  K$  terms  in  the  token,  it  does  NOT 
imply  that  one  can  do  the  same  thing  for  the  KSW  construction,  as  the  KSW  construction  does  not 
have  the  G?  subgroup.  To  reiterate,  our  proof  does  NOT  imply  that  one  can  safely  remove  the  Gq 
subgroup  from  the  K  term  in  the  token  of  the  KSW  construction. 

Definition  5.7.9  (SCHEME2)  We  further  modify  SchemeI,  and  add  a  random  element  Q0  e  Gq 
to  the  term  K0  in  the  token.  The  resulting  scheme  is  referred  to  as  SCHEME2,  and  is  formally 
defined  as  below: 

Setup(  1A):  Same  as  in  SchemeI. 

Encrypt( MSK,if):  Same  as  in  SchemeI. 

Gen Token( MSK,  v):  The  GenToken  picks  a  random  Q0  e  G9,  and  multiplies  Q0  to  K0.  Note 
that  a  fresh  Q0  is  generated  each  time  GenToken  is  called.  The  rest  of  the  GenToken 
algorithm  is  the  same  as  in  SchemeI.  In  the  expression  below,  we  underline  the  parts 
where  Scheme2  and  SchemeI  differ. 
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TK  = 


Ko  =  QoRo  •  mu  uru?’\  k,  =  r,.  nui 

Kl,i  —  dp1’1 9qVt  Rl,i,  ,i  =  fb'lfJq‘fVl  R'2,i 


1=1 


Query (JK^,  CTj):  Same  as  in  SCHEME  1. 

Again,  for  clarity,  we  underline  the  places  where  Scheme2  differs  from  Scheme  1. 

Claim  5.7.10  (Computational  indistinguishability  of  Scheme  1  and  Scheme2)  Assume  that  As¬ 
sumption  1  of  the  KSW  paper  /  28]  holds  in  the  bilinear  group  G,  then  SCHEME2  is  computationally 
indistinguishable  from  SCHEME  1. 

To  prove  this  lemma,  we  first  review  Assumption  1  as  stated  by  Katz  et  al..  We  assume  that  this 
assumption  holds  when  Gp  x  G,  x  Gr  belongs  to  a  larger  group  of  order  N  =  pqrf.  We  restate 
Assumption  1  in  the  context  of  the  larger  group. 

Definition  5.7.11  (Assumption  1  of  the  KSW  construction  [2$])  Any  polynomial-time  adversary 
has  a  negligible  advantage  in  the  following  experiment: 

Let  N  =  pqrf,  let  gp,  gq,  gr,  gr  be  random  generators  of  Gp,  Gq,  Gr,  Gf  respectively.  Pick  the 
following  numbers  at  random:  Qi,Q2,Q3  G  Gq,  Ri,R2,R3  G  Gr,  a,b,s  G  Zp,  and  a  random 
bit  b.  If  b  =  0,  7  =  0;  else  if  b  =  1,  7  is  chosen  at  random  from  Zjy.  Give  the  adversary  the 
description  of  the  bilinear  group  ( N ,  G,  Gr,  e),  and  the  following  set  of  values.  The  adversary’s 
task  is  to  guess  the  bit  b. 


S 


9pi  9ri  9ri  9qRli 


9bp, 


9pi 


9p9qi 


dpi 


(5.5) 


The  adversary  outputs  a  guess  b;  of  the  bit  b;  and  its  advantage  is  defined  as 


Adv^  = 


Pr[b'  =  b] 


1 

2 


Assumption  states  that  no  polynomial-time  adversary  can  win  this  game  with  more  than  negligible 
advantage. 

In  fact,  Claim  15/7 .101  relies  on  a  weaker  assumption  than  Assumption  1.  Specifically,  we  only 
need  to  reveal  to  the  adversary  a  subset  S'  C  S. 

s' ={&»,  9r,  dr,  9qRi,  9P  ,  9p9q,  9pl  T  =  gbpSg'yqR^ 


Definition  5.7.12  (Assumption  W)  Given  the  set  S',  no  polynomial-time  adversary  can  decide 
whether  7  =  0  or  7  Zn  with  more  than  negligible  advantage. 

Clearly,  Assumption  1  implies  Assumption  W,  that  is,  Assumption  W  is  weaker  than  Assumption 

1. 

Proof  of  Claiml5.7.10t  We  build  a  simulator  B  that  tries  to  break  Assumption  1 .  The  simulator 
utilizes  an  adversary  A  that  tries  to  distinguish  Scheme  1  from  Scheme2.  If  the  adversary  A  has 
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advantage  e  in  distinguishing  Scheme  1  from  Scheme2,  then  the  simulator  B  has  advantage  e  in 
breaking  Assumption  W. 

The  simulator  B  is  given  an  instance  of  Assumption  W,  and  it  plays  the  following  distinguishing 
game  with  the  adversary  A.  The  adversary  makes  queries  for  ciphertexts  and  tokens,  and  in  an¬ 
swer  to  these  queries,  the  simulator  computes  ciphertexts  and  tokens  following  a  certain  strategy. 
The  resulting  ciphertexts  and  tokens  are  distributed  either  according  to  Scheme  1  or  according 
to  Scheme2.  In  particular,  if  the  simulator  is  given  T  =  gbpsR3  from  the  Assumption  W  in¬ 
stance,  then  the  encryption  scheme  used  would  be  identically  distributed  as  Scheme  1;  otherwise, 
if  T  =  g^sQ3R3,  the  encryption  scheme  used  would  be  identically  distributed  as  Scheme2. 

•  Setup.  The  simulator  is  given  an  instance  of  Assumption  W,  and  it  uses  this  knowledge  to 
create  the  following  secret  key: 


Pvk 


gp:  gr,  gr, 


{«n,i  =  (sf  n* 


hi ,i  =  ,9p  ,  h2,i  =  gf* 


i=  1 


where  u,  {zt.  y,,  q ,  V;}”=i  are  random  exponents  from  ZN.  In  the  above  Pvk,  the  following 
elements  are  inherited  from  the  Assumption  W  instance:  gp,  gq,  gr ,  gr  and  g^ . 

Notice  that  the  simulator  does  not  know  gq,  which  ought  to  part  of  the  secret  key.  We 
show  that  the  simulator  is  still  able  to  answer  ciphertext  queries  and  token  queries  from  the 
adversary  appropriately,  in  spite  of  not  knowing  gq. 

•  Ciphertext  query.  In  spite  of  not  knowing  gq,  the  simulator  is  able  to  compute  ciphertexts, 
as  it  knows  gqRi  from  the  Assumption  W  instance,  and  a  generator  gr  of  the  subgroup  Gr. 

•  Token  query.  To  answer  a  token  query,  the  simulator  picks  random  values  r,  /  from  ZN; 
random  hiding  factor  R0,  R%  from  the  subgroup  Gr;  and  random  {Riy,  }”=  \  from  Gf. 
The  simulator  uses  the  following  strategy  to  decide  the  values  of  r2,i}n=1.  First,  the 
simulator  picks  random  exponents  {rr.;  f±:i,  r2yi}™=1  from  ZN.  The  simulator  then  implicitly 
sets  the  values  of  {r^,  r2,j}n=1  to  be  the  following,  without  actually  computing  them : 


Vi  G  [n]  :  rhi  =  afvi  +  TjS  +  rM 
r2)i  =  afuvi  +  r2ji 


(5.6) 


Using  the  above  implicit  values  for  (rx  j,  r2  j}"=1,  the  simulator  is  able  to  compute  a  token  as 
below: 

Vi  e  [n]  :  K\i  =  Rhi  ■  (gpgq)fVi(gsp)TigrP1'i 
K2y  =  R2,i  •  (« %gq)ufVig\ 

In  addition, 

n 

K0  =  R0  JJ  T~"ViTi  •  h~^  ■  {g~aRi)fu}ZiVi  ■  h~^  (5.8) 

2=1 
n 

K,  =  Ht  n  {(9qaRi)“*Vi9p2’i)~d' 
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(5.9) 


Notice  that  the  above  equations  make  use  of  the  term  gp  "  R \ .  This  can  be  obtained  from  the 
terms  gqR\  and  gpgq  inherited  from  the  Assumption  W  instance: 


9qR  1 
9p9q 


It  is  not  hard  to  see  that  K2ti}1f=1  as  defined  in  Equation  (15.7k  and  Kq  as  defined  in 
Equation  (15.9k  are  correctly  formed  as  in  SCHEME  1  (or  SCHEME2).  Recall  that  the  terms 
Ajj,  {Kij,  K2,i}i=1  have  the  same  form  in  both  SCHEME  1  and  SCHEME2.  It  remains  to 
verify  that  K0,  as  defined  in  Equation  <EU>,  is  distributed  either  as  in  Scheme  1  or  as  in 
SCHEME2,  depending  on  the  value  of  7  from  the  Assumption  W  instance. 

Observation  5.7.2  If  7  from  the  Assumption  W  instance  is  equal  to  0,  then  K0  as  defined 
in  Equation  (EH)  is  distributed  as  in  SCHEME  1.  Otherwise,  if  7  A  Zjy,  Kq  as  defined  in 
Equation  EH  is  distributed  as  in  SCHEME2. 

To  see  why  K0  follows  the  correct  distribution,  let  K0p,  Ki)  q.  I\()  r  denote  the  projections  of 
K0  into  the  subgroups  Gp,  Gq,  Gr  respectively.  Clearly,  K{]  r  has  the  correct  distribution. 

We  now  verify  that  K0iq  and  K0jP  have  the  correct  distribution. 

It  is  not  hard  to  see  that 

n 

Ko,q  =  gf1K  where  k  =  uj  y^n 

1=1 


Clearly,  if  7  =  0  in  the  Assumption  W  instance,  then  AT0j9  is  distributed  as  in  SCHEME  1, 
i.e.,  K0  does  not  contain  an  element  from  the  subgroup  Gq.  We  now  need  to  show  that  if 
7  A  Z/y,  K()  q  is  distributed  as  in  Scheme2,  that  is,  A'0  contains  a  random  element  from  the 
subgroup  Gq.  To  prove  this,  it  suffices  to  observe  that  k  is  distributed  uniformly  at  random 
in  Zjy,  and  is  independent  of  {77^,  r2,i}”=1. 

Remark  5.7.2  In  fact,  it  suffices  to  pick  iq  A  ZN,  and  fix  Ti  =  0  for  i  e  [2,  n]. 


It  remains  to  verify  that  K0  p  has  the  correct  distribution.  The  correct  distribution  of  Kqp 
should  be: 


niu  hi 


-ritii-r2,i 

a2A 


=  uu{gf“yi)afVi+TiS^  ■  (. 9 ■ 

—  FT"'  n-b2suyiTi^~ri-,i  -afuziViU 
~  1  ii=i  9p  ui.i  9p  Ui 


-Zi  gb2yi^afu]Vi+r2,, 

~r2  ,i 
2  ,i 


(5.10) 


It  is  not  very  hard  to  see  that  the  K0  defined  in  Equation  (15.81)  has  the  same  Gp  component  as 
the  above  Equation  (15.10k  A  crucial  observation  here  is  that  all  terms  involving  gfb2  (which 
is  unknown  to  the  simulator)  cancel  out.  This  is  the  reason  why  the  simulator  can  generate 
the  token  efficiently. 

•  Guess.  The  simulator  B  outputs  the  same  guess  b'  output  by  the  adversary  A. 

Clearly,  if  the  adversary  A  has  advantage  e  in  distinguishing  Scheme  1  and  Scheme2,  then 
the  simulator  B  also  has  advantage  e  in  breaking  Assumption  W.  This  completes  the  proof  of 
Claim  15 .7.101  ■ 
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Definition  5.7.13  (SCHEME3)  We  further  modify  Scheme2,  and  add  a  random  element  0%  G  Gq 
to  the  term  K$  in  the  token.  In  the  resulting  scheme  (referred  to  as  SCHEMES ),  both  the  terms  K0 
and  Kfj,  has  a  random  element  from  the  Gq  subgroup.  Scheme3  is  formally  defined  as  below: 

Setup(  1A):  Same  as  in  Scheme2. 

Encrypt( MSK,  x ):  Same  as  in  Scheme2. 

GenToken(MSK,  v):  The  GenToken  picks  a  random  Q0,  Q$  G  Gg,  and  multiplies  Q0  and  Q 0  to 
K0  and  K)  respectively.  GenToken  algorithm  is  the  same  as  in  SchemeI.  In  the  expression 
below,  we  underline  the  parts  where  Scheme2  and  Scheme3  differ. 


TK  = 


A'o  =  QM,  ■  mil  hZ'-hZV, 


k, = opt*  ■  nr=i  ihZ%y 

| Kl,i  =  Qp1’1 9qVi Rl,i,  1^2,1  =  9p2’1 9qfVi R2,i} 


Query(TKtf,  CT^):  Same  as  in  Scheme2. 

Claim  5.7.14  (Computational  indistinguishability  of  SCHEME2  and  SCHEME3)  Given  that  As¬ 
sumption  1  of  the  KSW  paper  ilfil  holds  in  the  bilinear  group  G,  then  SCHEME3  is  computationally 
indistinguishable  from  S  CHEME2. 

Proof:  The  proof  of  this  claim  is  very  similar  to  that  of  Claim  l5~7. 101  The  only  difference  is 
that  in  this  proof,  the  simulator  needs  to  rerandomize  the  term  K0  with  a  random  element  from  the 
subgroup  Gqr  =  Gq  x  Gr.  This  can  be  achieved  since  the  simulator  knows  the  terms  gqR\  and 
gr.  (In  comparison,  in  the  proof  of  Claiml5J.I0l  the  simulator  rerandomizes  the  term  Kq>  with  an 
element  from  Gr).  ■ 

Recall  that  we  are  trying  to  show  that  SchemeReal  and  SchemeQ  are  computationally  in¬ 
distinguishable.  We  have  made  a  sequence  of  modifications  to  SchemeReal,  and  have  obtained 
Scheme3.  So  far,  we  have  shown  that  SchemeReal  and  Scheme3  are  computationally  in¬ 
distinguishable.  We  now  further  modify  Scheme3  and  finally  obtain  SchemeQ.  In  SCHEME  1, 
SCHEME2  and  SCHEME3,  the  /1  and  f2  exponents  in  the  tokens  satisfy  the  relation  f2  =  ccj\ , 
where  cu  is  a  pre-determined  secret.  We  now  restore  the  f\  and  f2  exponents  as  independent  fresh 
random  numbers. 

Claim  5.7.15  Assuming  the  generalized  C3DH  assumption,  SCHEME3  and  SchemeQ  are  com¬ 
putationally  indistinguishable. 

Proof:  Similar  to  that  of  Claim  l5~7~8l  ■ 


Plaintext  privacy  of  SchemeQ 

We  have  shown  that  SchemeReal  is  computationally  indistinguishable  from  SchemeQ.  We  now 
show  that  SchemeQ  has  selective  plaintext  privacy.  This  implies  that  SchemeReal  has  selective 
plaintext  privacy  as  well. 
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The  original  KSW  construction  runs  in  a  bilinear  group  of  order  N  =  pqr.  This  part  of 
the  proof  relies  on  the  observation  that  if  we  run  the  KSW  construction  in  the  subgroup  Gpqr  = 
Gp  x  Gg  x  Gr  residing  in  a  larger  bilinear  group  of  order  N  =  pqrr,  the  KSW  construction  still 
has  plaintext  privacy.  Fundamentally,  this  relies  on  the  fact  that  Assumption  1  still  holds  when  the 
bilinear  group  Gpqr  in  question  resides  in  the  context  of  a  larger  group. 

Lemma  5.7.16  Suppose  that  Assumption  1  holds  in  the  bilinear  group  G,  then  SchemeQ  has 
selective  plaintext  privacy. 

Proof:  The  proof  is  based  on  the  selective  plaintext  privacy  of  the  KSW  construction.  We  show 
that  if  there  exists  a  polynomial-time  adversary  A  that  can  break  the  selective  plaintext  privacy  of 
SchemeQ,  we  can  build  a  polynomial-time  simulator  B  that  leverages  A  to  break  the  selective 
plaintext  privacy  of  the  KSW  construction.  Recall  that  the  KSW  construction  uses  a  bilinear  group 
of  order  N  =  pqr.  We  assume  that  this  group  resides  in  a  larger  group  of  size  N  =  pqrr,  and  that 
Assumption  1  still  holds  in  the  context  of  this  larger  group. 

The  simulator  B  acts  two  different  roles.  On  one  hand,  it  interacts  with  a  KSW  challenger  C, 
and  tries  to  break  the  selective  plaintext  privacy  of  KSW.  On  the  other  hand,  it  acts  as  a  challenger 
to  the  SchemeQ  adversary  A.  In  essence,  the  simulator  B  uses  the  following  strategy  to  interact 
with  A:  whenever  A  submits  a  ciphertext  or  token  query,  the  simulator  B  simply  forwards  it  along 
to  the  challenger  C.  In  return,  B  obtains  a  KSW  ciphertext  or  token.  Now  B  augments  the  KSW 
ciphertext  or  token  before  handing  the  answer  over  to  the  adversary  A.  For  example,  part  of  the 
augmentation  performed  by  B  is  to  fill  in  the  terms  C<d  and  K^. 

•  Init.  The  SchemeQ  adversary  A  commits  to  a  ciphertext  challenge  (x0,  X\)  to  the  simulator 
B.  B  forwards  the  same  challenge  (x0,  xQ  to  C. 

•  Setup.  C  runs  the  Setup  algorithm  of  KSW,  and  gives  the  following  public  key  to  the  simu¬ 


lator  B. 

PK  =  (5 'p,  9ri  9r j  Q  —  9q  R-Oi  {Hi, it  -^2,i}j=l) 

In  addition,  B  generates  the  following  secrets: 


where  {yu  ^}”=l  are  random  numbers  from  ZN. 

•  Ciphertext  query.  Whenever  the  adversary  A  submits  a  ciphertext  query  for  the  vector 
x  E  (ZN)n,  B  computes  the  following  ciphertext  and  returns  it  to  the  adversary.  Pick  random 
exponents  s,t,a,/3  from  ZN;  random  hiding  factors  R{).  Rq  from  the  subgroup  G,-;  and 
random  {R±p,  from  ^r- 


CT 


•  Token  query.  Suppose  that  the  adversary  A  makes  a  token  query  for  the  vector  v  E  (ZN)n. 
The  simulator  asks  C  to  generate  a  KSW  token  for  the  same  vector  v.  Suppose  the  KSW 
token  for  v  is  formed  as  below: 
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The  simulator  now  transforms  this  KSW  token  into  a  SchemeQ  token  as  below.  The  simu¬ 
lator  picks  a  random  exponent  r  ZN;  a  random  hiding  factor  R$  from  the  subgroup  Gr; 
and  random  from  Gf. 


TK 


K0  =  ko,  Kq  =  Rq,Qr  nr=r 

K\.i  =  kiyiRi:i,  h2>i  =  fc2)ji?2,j 


2=1 


•  Challenge.  The  adversary  A  submits  a  ciphertext  challenge  for  the  vector  x  G  (ZN)n.  The 
simulator  B  forwards  the  challenge  to  the  KSW  challenger  C.  As  a  result,  B  obtains  the 
following  KSW  challenge  ciphertext  from  C : 

KSW.CT  =  (c0,  K i,c2M=1) 

The  simulator  transforms  the  above  KSW  ciphertext  to  a  ciphertext  under  SchemeQ.  It 
picks  t  C-  ZN,  R0l  i?0  A  Gf,  and  computes: 

£_l_  (  C0  =  R0  ■  c0,  Cj  =  Ri  ■  gj, 

\  {Cr,j  =  ClM„  C2,i  =  c2,j^2>j}i=1 


•  More  ciphertext  and  token  queries.  Same  as  above. 

•  Guess.  The  simulator  B  outputs  the  same  guess  as  the  adversary  A. 

It  is  not  hard  to  verify  that  in  the  above  simulation,  the  ciphertexts  and  tokens  computed  by 
B  has  the  correct  distribution.  Clearly,  if  A  has  e  advantage  in  breaking  SchemeQ,  then  the 
simulator  B  has  e  advantage  in  breaking  KSW.  This  completes  the  proof  of  Lemmal5.7.16l  ■ 


5.7.4  Indistinguishability  of  SchemeReal  and  SchemeSym 

We  now  show  that  SchemeReal  is  computationally  indistinguishable  from  a  scheme  called 
SchemeSym,  where  the  tokens  and  the  ciphertexts  are  symmetrically  formed.  The  proof  is  carried 
out  in  the  following  two  steps: 

1.  We  first  define  SchemeSym,  and  show  that  SchemeReal  is  computationally  indistin¬ 
guishable  from  SchemeSym. 

2.  Next,  we  show  that  in  SchemeSym,  the  tokens  and  ciphertexts  are  symmetrically  formed. 
SchemeSym 

We  make  modifications  to  SchemeReal,  and  obtain  a  new  scheme  called  SchemeSym.  In  short, 
we  modify  the  way  the  GenToken  algorithm  picks  the  exponents  {r^j,  r2;j}"=1.  In  SchemeSym, 
the  exponents  {r^j,  'r2)j}'l=1  are  no  longer  picked  completely  at  random  from  Zp.  Instead,  these 
exponents  are  now  picked  at  random  from  a  two-dimensional  subspace  of  the  vector  space  ]Gn . 
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Definition  5.7.17  (SchemeSym)  We  make  the  following  modifications  to  SchemeReal,  and 
the  resulting  scheme  is  called  SCHEMESYM. 

Setup{  1A):  The  setup  algorithm  first  chooses  a  secret  key  as  in  SchemeReal.  Additionally,  it 
chooses  the  following  random  exponents  from  Zp,  and  keeps  them  secret. 

{l/l ,ii  %1  ,it  2/2,*, 

Encrypt( MSK,  x):  Same  as  the  Encrypt  algorithm  of  SchemeReal. 

GenToken( MSK,  L):  Instead  of  picking  {rL,;,  independently  at  random  from  Zp,  the 

GenToken  picks  two  random  numbers  p,r  <—  Zp,  and  sets  the  values  of  {r^,  r2,j}”=1  as 
below: 

Vz  e  [n]  :  ri,i  =  pz/M  + 

t-2,*  =  PV2,i  +  rz2)i 

The  rest  of  the  GenToken  proceeds  as  in  SchemeReal. 

Query ( TK^,  CT^):  The  same  as  the  Query  algorithm  in  SchemeReal. 

One  way  to  understand  the  above  construction  SchemeSym  is  as  follows.  Let  y  =  {y^i,  z/2,i}”=i, 
let  z  =  {ziti,  z2,i}i=1,  let  f  =  {r^j,  r2,i}”=1.  It  is  not  hard  to  see  that  r  is  chosen  at  random  from 
a  2-dimensional  subspace  generated  by  y  and  z.  Essentially,  SchemeSym  always  chooses  a  2- 
dimensional  subspace  during  the  setup  phase.  Later,  when  constructing  tokens,  SchemeSym 
always  picks  the  exponents  r  at  random  from  this  prescribed  2-dimensional  subspace.  Due  to  the 
Decisional  Linear  assumption,  picking  the  exponents  from  a  2-dimensional  subspace  is  computa¬ 
tionally  indistinguishable  from  picking  the  exponents  completely  at  random  from  the  entire  vector 
space  Fpn.  We  state  this  intuition  in  the  following  lemma. 

So  far,  it  may  not  be  entirely  clear  why  the  ciphertexts  and  tokens  are  symmetrically  formed  in 
SchemeSym.  We  explain  why  this  is  the  case  in  Sectionl5.7.4l 

Lemma  5.7.18  Assume  that  the  D-Linear  assumption  holds  in  Gp,  SchemeSym  is  computation¬ 
ally  indistinguishable  from  SCHEMEREAL. 

Informally,  the  above  Lemma  15 . 7 . 1 8 1  relies  on  the  following  observation. 

Observation  5.7.3  (f-DLinear)  Let  t  be  an  integer  greater  than  2.  Suppose  a  challenger  picks 
two  random  vectors  y  =  (z/i,  y2, . . . ,  yf)  A  F^,  and  z  =  (z1;  z2, . . . ,  zf)  ¥lp.  The  challenger 
then  flips  a  random  coin  b,  and  generates  a  random  vector  7  =  (71,72, . . .  ,7r)  in  one  of  the 
following  ways,  depending  on  the  outcome  of  the  coin  flip  b; 

•  If  b  =  0,  the  challenger  picks  yl,y2, . . .  ,Zf  independently  at  random  from  7LV.  In  other 
words,  the  vector  7  is  picked  at  random  from  the  vector  space  ¥p. 

•  If  b  =  1,  the  challenger  picks  the  vector  7  =  (71, 72, . . . ,  yfi  from  the  2-dimensional  sub¬ 
space1  generated  by  y,  z.  Let  closurefy,  z)  denote  the  subspace  in  ¥p  generated  by  y  and  z. 
The  following  algorithm  allows  the  challenger  to  pick  a  random  vector  7  from  closurefy.  z). 
Pick  s,  t  Zp,  and  compute 

7  —  sy  +  tz 

'in  the  unlikely  event  that  y  and  z  are  linearly  dependent,  dim(closure(y,  zj)  <  2.  However,  this  happens  with 
negligible  probability. 
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Define  the  following  notation: 

9p  ■=  {dp1,  9p2,  ■  •  ■ ,  9p  )  where  x  e¥ep 

Now  the  challenger  gives  an  adversary  the  description  of  the  group,  {N  =  pqrr,  G,  G t,  e), 
generators  of  each  subgroup,  gp,  gq,  gr,  gr,  and  the  following  tuple: 

{at  at  at) 

The  adversary’s  task  is  to  guess  the  outcome  of  the  coin  flip  b.  We  claim  that  no  polynomial-time 
adversary  is  able  to  guess  the  outcome  of  the  coin  flip  b  with  more  than  negligible  advantage.  In 
fact,  we  show  that  this  problem  is  at  least  as  hard  as  the  D-Linear  problem. 

Proof:  We  use  a  hybrid  argument  to  show  that  the  GD  Li  near  problem  (Observation  15 .7 .31)  is 
at  least  as  hard  as  the  D-Linear  problem.  We  first  review  the  D-Linear  assumption.  Suppose  an 
adversary  is  given  a  description  of  the  group,  (N  =  pqrr. ,  G,  Gr,  e),  generators  of  each  subgroup, 
dp-,  9q,  9r,dr,  and  the  following  tuple: 

{aP,  at  at  at ,  abPT,  Y) 

where  a,  6,  p,  r  are  random  exponents  in  7LV.  The  adversary  tries  to  decide  whether  Y  =  gP+T  or 
whether  Y  is  a  random  number  in  Gp.  The  D-Linear  assumption  states  that  no  polynomial-time 
adversary  can  have  more  than  negligible  advantage  in  this  experiment. 

We  now  prove  Observation  |5TTT3]  (the  GDLinear  assumption)  through  a  hybrid  argument.  We 
define  the  following  sequence  of  games,  where  *  represents  a  random  number  from  the  group  Gp. 


Game 


What  the  challenger  gives  to  the  adversary 


Game^ 

(at 

at 

nsy\+tz\  nsy2+tZ2  nsy3+tZ3 

Dp  ?  Dp  ?  Dp  ?  * 

sye-2+tze_2 
■  ■  ,  9p  i 

at1 

Game^_i 

(at 

at 

nsyi+tzi  nsy2+tZ2  nsy3+tZ3 

Dp  5  Dp  ?  Dp  ?  * 

sye-2+tzi-2 

*  *  ?  DP  5 

9pVt 

Game^_2 

(at 

at 

nsyi+tzi  nsy2+tz2  nsy3+tz3 

Dp  1  Dp  1  Dp  5  * 

sye~2+tze_2 
■  ■ )  9p  j 

*, 

Game2 

(si 

at 

nsyi+tzi  nsy2+tZ2  *  * 

Dp  5  Dp  5  *5  *  *  *  5  *5 

*,  *) 

L  nsyi+tz^ 
1  Dp  ) 


It  is  not  hard  to  see  that  Garnc^  is  equivalent  to  the  GDLinear  experiment  when  b  =  1;  and  Game2 
is  equivalent  to  the  GDLinear  experiment  when  b  =  0.  Due  to  the  hybrid  argument,  it  suffices  to 
prove  that  no  polynomial-time  adversary  can  distinguish  between  two  adjacent  games. 

We  now  show  that  if  there  exists  a  polynomial-time  adversary  A  that  can  distinguish  between 
two  adjacent  games  Game,/  and  Gamc,/_  t  with  e  advantage,  then  we  can  build  a  polynomial-time 
simulator  B  that  utilizes  A  as  a  black  box,  and  wins  the  D-Linear  experiment  also  with  e  advantage. 
We  now  explain  how  the  simulator  B  works. 

Suppose  B  is  given  the  D-Linear  instance  (gp,  gf  gb,  gf,  .9pr,  Y),  and  tries  to  decide  whether 

Y  =  gp+T  or  F  ^  Gp.  The  simulator  picks  random  elements  k2,  k3,  . . .,  kd~ i,  yd,  Vd+i,  ■  ■  ■,  Vt, 
and  w2,  w 3,  . . .,  Wd- 1,  Zd,  Zd+i,  ■  ■  ■,  ze  from  ZN,  and  implicitly  sets: 


y=  (a,  k2a ,  k3a,  ...,  k^a,  yd,  yd+1,  ...,  y£) 
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z  =  (b,  u>2  b,  U>3b,  ...,  wd_ib,  zd,  zd+ 1,  . . . ,  ze) 

It  also  implicitly  sets 

5  =  pyd\  t  =  TZj1 

where  multiplicative  inverses  are  taken  modular  N.  (For  our  purposes,  this  is  equivalent  to  taking 
multiplicative  inverses  modular  p.) 

Note  that  the  simulator  does  not  know  the  values  of  a,  b,  p,  r.  It  merely  sets  the  above  parame¬ 
ters  implicitly,  without  actually  computing  them. 

Now  the  simulator  B  gives  the  adversary  A  the  following  tuple: 


9yP , 


at  (s\ 


7)Vd  (si 


br > 
P  ' 


zd 


d- 1 


i= 2 


Y, 


Clearly,  if  Y  —  p('+T,  then  the  above  experiment  is  identically  distributed  as  Game,/.  Otherwise, 
if  Y  is  a  random  element  in  Gp,  then  the  above  experiment  is  identically  distributed  as  Gamc,/_  | . 
Hence,  if  A  can  distinguish  between  Game^-i  and  Game,/  with  e  advantage,  then  B  can  win  the 
D-Linear  experiment  with  e  advantage  as  well.  ■ 


Given  the  T-DLinear  assumption,  which  is  implied  by  the  Decisional  Linear  assumption,  we 
proceed  to  prove  Lemmal5.7.181  that  is,  SchemeReal  is  computationally  indistinguishable  from 
SchemeSym. 

Proof  of  Lemma  15.7.181  Let  £  =  2 n.  We  show  that  distinguishing  between  SchemeReal 
and  SchemeSym  is  at  least  as  hard  as  the  CDLinear  problem  as  stated  in  Observation  15.7.31 
Our  proof  relies  a  hybrid  argument  on  the  number  of  token  queries  made  by  the  adversary.  Let 
k  denote  the  number  of  token  queries  made  by  the  adversary.  We  define  a  sequence  of  games, 
Gameo,Game!, . . . .  Game/,.  In  Game,/  (0  <  d  <  k ),  for  the  first  d  tokens  queried,  the  chal¬ 
lenger  picks  the  exponents  {d  /,  r2ij}”=1  from  a  pre-determined  2-dimensional  subspace;  and  for 
the  remaining  token  queries  d  +  1, ...  ,k,  the  challenger  picks  completely  random  exponents 
{rM,r2,/}?=i  from  F^n. 

More  specifically,  Game,/  (0  <  d  <  k)  is  formally  defined  as  below. 

•  Setup.  The  challenger  picks  two  random  vectors 


y  =  {yi,u  y2,i}i=i 

z  =  {zlti,  Z2.l}t=l 

and  keeps  them  secret.  These  two  vectors  determine  a  2-dimensional  subspace  closure(y.  z). 
Later,  when  the  challenger  answers  the  first  d  token  queries  made  by  the  adversary,  it  will 
pick  the  exponents  {r^j,  r2  i}”=1  at  random  from  this  subspace.  The  challenger  now  calls  the 
Setup  algorithm  to  generate  a  secret  key  as  in  SchemeReal. 

•  Ciphertext  queries.  The  challenger  answers  all  ciphertext  queries  by  directly  calling  the 
Encrypt  algorithm. 

•  Token  queries.  For  the  first  d  token  queries,  the  challenger  picks  exponents  {r^j,  r2  l}('=l  as 
below.  Pick  two  random  numbers  p,  t  Zp,  and  sets  the  values  of  r  :=  (rq*,  r2)i}^=1  to  be 


|ff2n 

P 

jp2n 


112 


the  following: 


Vi  G  [n]  :  rM  =  pyhi  +  rzhi 
r2,i  =  PV2,i  +  rz2,i 


Expressed  in  the  vector  form, 

r  =  py  +  rz 

In  other  words,  r  is  picked  at  random  from  the  2-dimensional  subspace  closure(y,  z). 

For  the  remaining  token  queries  d  +  1, . . . ,  k,  the  challenger  generates  tokens  normally  by 
calling  the  GenToken  algorithm. 

It  is  not  hard  to  see  that  Gameo  is  identically  distributed  as  SchemeReal,  and  Gainey  is 
identically  distributed  as  SchemeSym.  Due  to  the  hybrid  argument,  it  suffices  to  show  that  no 
polynomial-time  adversary  is  able  to  distinguish  between  two  adjacent  games  Gamed- 1  and  Gamed 
(1  <  d  <  k)  with  more  than  negligible  advantage. 

We  now  show  that  if  there  exists  a  polynomial-time  adversary  A  that  can  distinguish  between 
Garner- 1  and  Gamed  (1  <  d  <  k)  with  e  advantage,  we  can  build  a  polynomial-time  simulator 
B  that  uses  A  as  a  blackbox,  and  breaks  the  f-DLincar  assumption  also  with  e  advantage.  We 
now  explain  how  the  simulator  B  works.  Suppose  B  is  given  the  following  f-DLincar  instance 

(9p,9p,9p)>  where  V  =  S/2,i}i*=i,  V  =  {zi,i,  z2,i}i=1,  and  7  =  {71,*,  72y}y=i-  Now  the  sim¬ 

ulator  tries  to  distinguish  whether  7  e  closure(y,  z),  or  whether  7  is  a  random  vector  in  Fpn.  To 
do  this,  the  simulator  will  set  the  exponents  r  =  {riy,  r2ii}”=1  in  the  first  d  —  1  tokens  to  be  ran¬ 
dom  vectors  in  closure(y,  z).  The  simulator  sets  the  exponents  r  in  the  dlh  to  be  the  vector  7.  For 
the  remaining  token  queries,  the  simulator  chooses  random  exponents  r  •£-  F;f 1 .  In  this  way,  if 
7  A  closure(y,  z),  the  simulation  is  equivalent  to  Gamed;  otherwise,  if  7  A  Fpn,  the  simulation  is 
equivalent  to  Gamed- 1. 

•  Setup.  The  simulator  picks  the  following  secret  key: 


MSK  {dpi  9qi  9ri  9ri  \h\ ,i  9X 


v  l.i 
P 


h  —  2,i 

^2, i  ~  9p 


hi*  =  dp1' 


ki2,%  — 


=  7“}) 


where  cuiy,  uj2,ii  ACiy,  k2^  are  random  exponents  in  Zp. 

•  Ciphertext  queries.  The  simulator  answers  all  ciphertext  queries  by  directly  calling  the 
Encrypt  algorithm. 

•  Token  queries.  For  all  token  queries,  the  simulator  picks  random  exponents  /1,  f2  from  Z/y; 

random  hiding  factors  R0,  /?(,*,  from  the  subgroup  Gr ;  and  random  { R 1  } ?r'=  1  from  Gf.  It 

chooses  the  values  of  r  =  {riy,  r2y}”=1  in  one  of  the  following  ways: 

■  For  the  first  d  —  1  token  queries,  the  challenger  picks  random  p,  t  from  Zp,  (p,  r  are 
picked  as  fresh  random  numbers  for  each  of  the  first  d  —  1  token  queries.)  and  implicitly 
lets  r  =  {r^j,  r2)i}"=1  to  be  the  following  (without  actually  computing  it): 


f  =  py  +  tz 


In  the  above  expression,  y  and  z  are  inherited  from  the  (-DLincar  instance.  Note  that 
the  simulator  does  not  know  the  values  of  y  and  z,  it  implicitly  sets  the  vector  r  without 
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computing  its  value.  Now  the  simulator  computes  the  following  token: 


TK  = 


( Ko  =  R0  ■  nr=i(#1) 

k*  =  r,  •  rr=iG?n 


~P^  (g*1’* ) (g?’*)-/***  (gp2,i ) -TW2>i , 
-PK1"  ( )  -TK1'1  (#*  )  -PK2"  )  “TK2’i , 


\ 


(dP’W’rgl^Ri, 


K2,i  =  (aT  W’1) 


rgtViR 


2,i 


Ml/ 


■  For  the  <f  h  token  query,  the  simulator  will  implicitly  set  the  exponents  r  =  7,  where  7 
is  adopted  from  the  CD  Li  near  instance.  More  specifically,  the  simulator  computes  the 
following  token: 


TK  = 


K0  =  Ro •  niu {grr^Wv'T^,  k9  =  r, •  Yiuigrr^rr^ 

Ki,i  =  g?'lgl1ViRi,u  K2,i  =  gp2'1  gRVi  R2ti 

i=  1 


■  For  the  remaining  token  queries  d+ 1, . . . ,  k,  the  simulator  generates  tokens  by  directly 
calling  the  GenToken  algorithm.  In  this  case,  the  exponents  r  is  chosen  as  a  random 
vector  in  ¥2n. 

•  Guess.  If  the  adversary  guesses  that  it  is  playing  Gamerf,  the  simulator  guesses  that  7  A 
closure(?/,  z).  Otherwise,  if  the  adversary  guesses  that  it  is  playing  Gamerf_!,  the  simulator 
guesses  that  7  ^ 

Clearly,  if  the  adversary  has  e  advantage  in  distinguishing  Game,/  and  Gamc,/_.,  (1  <  d  <  k ),  the 
simulator  also  has  e  advantage  in  the  f-DLincar  experiment.  ■ 


Symmetry  of  token  and  ciphertext  in  SchemeSym 

So  far,  it  may  not  be  completely  obvious  why  the  tokens  and  ciphertexts  are  symmetrically  formed 
in  SchemeSym.  To  show  why  this  is  true,  we  give  a  different  description  of  SchemeSym, 
and  call  the  resulting  scheme  SchemeSymII.  SchemeSymII  is  in  fact  the  same  scheme  as 
SchemeSym,  although  the  description  seems  different  on  the  surface.  It  will  be  clear  from  the 
description  of  SchemeSymII  that  tokens  and  ciphertexts  symmetrically  formed.  We  then  explain 
why  SchemeSym  and  SchemeSymII  are  in  fact  the  same  scheme.  Basically,  tokens  and  ci¬ 
phertexts  in  SchemeSym  are  identically  distributed  as  tokens  and  ciphertexts  in  SchemeSymII 
(except  with  negligible  probability). 

Before  we  formally  define  SchemeSymII,  we  first  explain  the  intuition.  In  SchemeSym, 
both  the  ciphertext  and  token  have  2n+2  terms.  Clearly,  in  SchemeSymII,  tokens  and  ciphertexts 
are  symmetric  in  the  Gq,  Gr,  Gf  subgroups.  In  particular,  the  Gg  subgroup  has  the  same  form  in 
both  the  ciphertext  and  the  token,  and  the  Gr  and  Gf  subgroups  “mirror”  each  other. 

However,  it  may  not  entirely  obvious  that  the  Gp  subgroup  is  symmetric  as  well;  and  this  is 
what  we  are  about  to  show.  Let  us  now  focus  on  the  elements  in  the  Gp  subgroup  in  the  ciphertext 
and  token.  We  represent  elements  in  the  Gp  subgroup  in  the  canonical  form  g*,  where  gp  is  a 
generator  of  Gp,  and  x  6  Zp.  In  both  the  ciphertext  and  the  token,  the  exponents  in  the  Gp 
subgroup  (base  gp)  form  a  vector  in  F/2/'+2.  We  now  show  that  these  exponents  have  the  following 
distribution  (except  with  negligible  probability). 
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•  Pick  two  random  2-dimensional  subspaces  S\,  S2  C  F2n+J  that  are  orthogonal  to  each  other, 
that  is,  Si-LS2.  The  fact  that  Si±S2  ensures  that  the  Gp  subgroup  cancels  out  in  the  Query 
algorithm. 

•  For  every  ciphertext  generated,  pick  a  random  vector  fi  £-  S\  to  be  the  exponents  in  the  Gp 
subgroup  (base  gp). 

•  For  every  token  generated,  pick  a  random  vector  in  V  A  S2  to  be  the  exponents  in  the  Gp 
subgroup  (base  gp ). 

Definition  5.7.19  (SchemeSymII)  We  define  the  following  encryption  scheme  henceforth  re¬ 
ferred  to  as  SchemeSymII.  From  the  description  of  SchemeSymII,  it  is  clear  that  tokens  and 
ciphertexts  are  symmetrically  formed. 

Setup(  1A):  The  setup  algorithm  first  chooses  random  large  primes  p.  q,  r,  r,  and  creates  a  bilinear 
group  of  composite  order  N  =  pqrf.  Next,  it  picks  generators  gp,  gq.  gr,  gr  from  sub¬ 
groups  Gp,  Gq,  Gr,  Gr  respectively.  The  setup  algorithm  also  needs  to  pick  two  orthogonal 
subspaces  from  F'"'4  2.  To  do  so,  the  setup  algorithm  picks  the  following  random  exponents 
from  Z;): 

/Z 
d\ 

s.t 

For  example, 

{dii  k'l)  '■=  c0y0  +  c02/0  +  (cigVig  +  c2gy2g) 

2=1 

All  of  the  above  parameters  are  kept  as  the  secret  key. 

Remark  5.7.3  Intuitively,  by  picking  fi\,  jJ2  and  d\ ,  V2,  we  are  effectively  picking  two  ran¬ 
dom  2-dimensional  subspaces  in  F2n+2  that  are  orthogonal  to  each  other: 

closure(/Ii,  fi2)  _!_  closure^,  u2) 


(c0,  C0,  {ci,i,  c2 ,  p2  (^o,  tltj),  {dig,  tl2g{^_ 

=  (do,  2/0,  2/2,i}™=1)  ,  d2  =  (^o,  z%,  {zig,  Z2g}™=1) 

e  [2]  x  [2],  {fii,dj)  =  0 


In  the  unlikely  event  that  fi\  and  fi2  (or  V\  and  u2)  are  linearly  dependent,  the  dimension  of 
closure^,  JJ2)  (or  closure^,  u2 ) )  may  be  smaller  than  2.  However,  this  happens  only  with 
negligible  probability. 

Encrypt( MSK,x):  Let  x  =  (x\,  x2, . . . ,  xn)  G  (ZN)n.  The  encryption  algorithm  first  picks 
random  exponents  s,t,a,(3  from  Zp.  Then,  it  chooses  random  hiding  factors  R0,  IQ  from 
the  subgroup  G?;  and  random  { Rlt,  Il2 .,}]'=  \  from  Gr.  The  encryption  algorithm  computes 
the  following  ciphertext: 


CT 


C0  =  R0-gp+td°,  C%  =  R%-gspc»+td« 

[Cyi  =  =  9sPC2’i+td2’ig%XiR2,i 


n 

2=1 
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Remark  5.7.4  In  the  above  ciphertext,  the  exponents  in  the  Gp  subgroup  form  the  following 
vector: 


P  —  (sCq  +  tdo,  SC0  +  td0,  {SCI,*  +  td\ti,  SC2)j  +  td2j}i=1)  —  spi  +  tp 2 


It  is  not  hard  to  see  that  p  is  chosen  as  a  random  vector  in  the  2-dimensional  subspace 
defined  by  closure(/71,  p2). 

GenToken(  MSK,-u):  Let  v  =  (vi,  v2,  ■  ■  ■ ,  vn)  G  The  Gen  Token  algorithm  behaves 

symmetrically  to  the  Encrypt  algorithm.  It  first  picks  random  exponents  p,  r,  /i,  /2  from 
Zp.  Then,  it  chooses  random  hiding  factors  fro,  If  from  the  subgroup  Gr ;  and  random 
{Ryt,  R2AU  from  Gf.  The  token  is  formed  as  below: 


TK 


K0  =  R0  •  g™°+TZ° ,  K,  =  R^  ■  g™°+TZ* 

Khi  =  gr,i+TZ1’%gfolViRi,i,  K2ii  =  gT'i+TZ^gjfViR2,i 


2=1 


Remark  5.7.5  In  the  above  token,  the  exponents  in  the  Gp  subgroup  form  the  following 
vector: 


V  =  ( pyo  +  TZ0,  PV0  +  TZ0 ,  {pyhi  +  rzhi,  py2,i  +  rz2}i}ni=l)  =  pV\  +  tu2 

It  is  not  hard  to  see  that  V  is  chosen  as  a  random  vector  in  the  2 -dimensional  subspace 
defined  by  closure^,  z?2). 

Query  ( TK#,  CT^):  Same  as  the  Query  algorithm  of  SchemeReal.  Note  that  as  the  two  sub¬ 
spaces  closure^,  p2)  and  closure^,  u2)  are  orthogonal  to  each  other,  (fi,  V)  =  0.  Hence, 
in  the  Query  algorithm,  elements  in  the  Gp  subgroup  cancel  out,  resulting  in  1  G  G t,p. 

Lemma  5.7.20  (Equivalence  of  SCHEMES  YM  and  SchemeSymII)  Tokens  and  ciphertexts  com¬ 
puted  in  SchemeSymII  are  identically  distributed  as  in  SCHEMES  YM  (except  with  negligible 
probability ). 

Proof:  Let  us  now  focus  on  SchemeSym.  We  first  show  that  in  the  ciphertext,  exponents  in 
the  Gp  subgroup  are  chosen  as  a  random  vector  in  a  pre-determined  2-dimensional  subspace  (also 
chosen  at  random)  in  F2n+2. 

For  1  <  i  <  n,  let  denote  the  discrete  log  of  h\j,  h2,i  (base  gp);  let  k2,i  denote 

the  discrete  log  of  hiti,  h2,i  (base  gp).  {u\ a;2,?;}f=1  and  {kip,  ft2,i}”=i  are  chosen  independently  at 
random  from  Zp  in  the  Setup  algorithm. 

In  the  Encrypt  algorithm  of  SchemeSym,  we  pick  two  random  numbers  s,t  <—  Zp,  and  in 
the  ciphertext,  the  exponents  in  the  Gp  subgroup  (base  gp)  have  the  following  form: 

fi  ■—  (s,  t,  {stUi'i  +  tKi:i,  SUJ2,i  + 

Define  the  following  two  vectors: 

fii  ■=  (1,0,  {utpi,  ut2 ,i}r=1)  e  F2n+2 
fi2  ■■=  (0,  l,  K2,i}"=1)  e  F2n+2 


(5.11) 

(5.12) 


116 


Equation  (15.1  II)  can  be  expressed  in  the  following  form: 


/X  —  Sfl\  +  t/l  2 


Therefore,  an  equivalent  way  to  think  of  SCHEMES  YM  is  as  follows.  In  the  Setup  algorithm, 
we  pick  two  vectors  jl.\  and  //2  as  in  Equation  (15.121).  It  is  not  hard  to  see  that  closure(/21,  j22) 
defines  a  random  2-dimensional  subspace  in  F4"4  2  (except  with  negligible  probability).  Later, 
when  computing  ciphertexts,  we  always  pick  the  exponents  in  the  Gp  subgroup  as  a  random  vector 
in  closure^,  y2). 

We  now  examine  the  tokens  in  SCHEMES  YM.  It  remains  to  show  that  in  the  tokens,  expo¬ 
nents  in  the  Gp  subgroup  are  chosen  as  random  vectors  from  a  random  2-dimensional  subspace 
orthogonal  to  closure(/7i,  jl2).  It  is  not  hard  to  see  that  in  the  tokens  of  SchemeSym,  the  expo¬ 
nents  of  the  Gp  subgroup  are  picked  from  a  subspace  orthogonal  to  closure(/2i,  jj2),  since  in  the 
Query  algorithm,  the  Gp  subgroup  always  cancels  out,  resulting  in  1  G  Gp.  Now,  we  just  need  to 
show  that  the  exponents  in  the  token  form  a  2-dimensional  subspace  (as  opposed  to  1  dimension 
or  other  number  of  dimensions.)  To  understand  why  this  is  the  case,  we  now  present  alternative 
way  to  understand  the  formation  of  tokens  in  SchemeSym.  In  the  Setup  phase,  pick  the  vectors 
y=  (2/0, 2/0,  {yi,i,V2,i}i=i)  and  z  =  (zo,zq,  {zhi,  22,i}r=i)  as  below: 

1.  Pick  2 n  out  of  the  2n  +  2  coordinates  at  random,  that  is,  pick  {y\pi  y2ti}™=1  at  random  from 

Zp. 

2.  Given  the  constraints  that  (y,jl i)  =  0,  and  (y,j2 2)  =  0,  the  first  two  coordinates  y0.  y@ 
can  be  solved  through  a  system  of  linear  equations.  We  have  two  linear  equations  with 
two  indeterminants.  The  coefficients  of  the  linear  equations  are  linearly  independent  except 
with  negligible  probability.  This  means  that  except  with  negligible  probability,  y0,  y0  can  be 
uniquely  solved. 

3.  Pick  z  in  exactly  the  same  way  as  we  did  for  y. 

It  is  not  hard  to  see  that  by  picking  the  vectors  y  =  (yo,2/0,  {yiy,  y2,i}T=i)  and  z  =  (^o,  ^0, 
{z\,p  z2p}U)  'n  the  manner  specified  above,  we  are  equivalently  picking  a  random  subspace  that 
is  orthogonal  to  the  subspace  closure^,  y2). 

Later,  when  computing  tokens,  the  GenToken  algorithm  picks  the  exponents  in  the  Gp  sub¬ 
group  as  a  random  vector  from  closure(y,  z). 


5.8  Proof  of  Proposition  15.3.21 


Proof  of  Proposition  15.3.21  Our  proof  is  inspired  by  the  hybrid  argument  used  by  Katz  et  al.  [  28] . 
We  are  given  SCHEME2n  which  is  SCI-secure,  and  our  goal  is  to  construct  a  fully-secure  construc¬ 
tion  SCHEMEn.  We  give  an  explicit  construction  of  SCHEME,,  below.  Let  x  =  (xi,  x2, . . . ,  xn )  G 


X  =  (X\,X 


1,  Jj2i 


,X' 


G  En  denote  two  vectors  of  length  n.  Define 


x\\x  :=  (xi,x2,  ■  ■  ■  ,xn,xj,o4 
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to  be  a  vector  of  length  2 n  obtained  by  concatenating  x  and  x' .  In  particular,  define 

x\\x  \=  (x1,x2,  .  .  .,Xn,X1,X2,  ...,Xn) 

to  be  a  vector  of  length  2 n  obtained  by  repeating  x  twice.  Informally,  our  construction  of  SCHEMEn 
works  as  follows.  To  encrypt  a  vector  x  of  length  n  in  SCHEME^,  we  encrypt  the  vector  (x,  x)  of 
length  2 n  using  Scheme2„.  Similarly,  to  construct  a  token  for  the  vector  v  of  length  n,  we  use 
SCHEME2n  to  construct  a  token  for  the  vector  (v.  v)  of  length  2 n. 

SCHEMEn. Setup (lx ):  Call  SCHEME2n.S'etup(lA),  and  output  exactly  the  same  secret  key  MSK. 

SCHEMEn. Encrypt (MSK,  x):  Call  SCHEME2n.  Encrypt  (MSK,  x\\x)  and  output  the  resulting  ci¬ 
phertext. 

SCHEMEn.  GenToken(MSK,  v):  Call  SCHEME2n.  Gen  To  ken(  M  S  K,  v\\v)  and  output  the  resulting 
token. 

SCHEMEn.<5«en/(TK,  CT):  Call  SCHEME2n.(3wen/(TK,  CT)  and  output  the  same  outcome. 
Note  that  the  above  construction  is  valid  due  to  the  following  fact. 

Fact  5.8.1  Let  N  =  pqrr,  where  p.  q,  r  and  r  are  distinct  large  (odd)  primes.  Let  x.  v  G  U'N.  Then 

(x,  v)  =  0  iff  (x\\x,  L||L)  =  0 

It  remains  to  show  that  the  above  Scheme^  is  fully-secure.  To  do  so,  let  us  first  recall  the  the 
security  game  (of  full  security).  An  adversary  makes  a  series  of  queries  to  a  challenger.  Each 
query  can  be  a  ciphertext  query  or  a  token  query.  In  a  ciphertext  query,  the  adversary  specifies  two 
vectors  x,  y  to  the  challenger,  and  gets  back  an  encryption  of  one  of  these  two  plaintexts.  In  a  token 
query,  the  adversary  specifies  two  vectors  v,  w  to  the  challenger,  and  gets  back  a  token  for  one  of 
these  vectors.  Suppose  that  the  adversary  makes  c  ciphertext  queries,  denoted  (xuyi),  (x2,y2), 
. . .,  (xc,yc),  and  t  token  queries  denoted  (vi,wi),  {v2,w2),  . . .,  respectively.  Let  X  := 

(x\,x2, . . . ,  xc)  and  Y  :=  (yi ,  y2, . . . ,  yc)  denote  the  ciphertext  queries  made  by  the  adversary.  Let 
V  :=  (Li ,  v2, ....  vc)  and  W  :=  {w\ ,  w2, ,  wc )  denote  the  token  queries  made  by  the  adversary. 
Recall  that  X,  Y,  V,  W  must  satisfy  the  “indistinguishability  under  access  pattern”  condition: 

AccessPattern(AT,  V )  =  AccessPattern (Y,  W) 

The  challenger  has  a  secret  random  bit  b,  and  depending  on  its  value,  the  challenger  either  con¬ 
structs  ciphertexts/tokens  for  X,  V  (referred  to  as  World  0),  or  constructs  ciphertexts/tokens  for 
Y,  W  (referred  to  as  World  1).  Our  task  is  to  show  that  the  adversary  cannot  distinguish  between 
World  0  and  World  1.  To  this  end,  we  construct  the  following  series  of  hybrid  games. 

World  0  :  The  challenger  calls  SCHEME2n  and  computes  ciphertexts/tokens  for: 


flpl, 

X2\\x2,  . 

1!! 

_ 1 

.  Vl\\Vi, 

V2\\V2,  •• 

■,  Vt\\vt 

World  A  :  The  challenger  calls  SCHEME2n  and  computes  ciphertexts/tokens  for: 

Xi\\0,  f2||0,  ...,  £c||0 

_  Vl\\vi,  v2\ \v2,  ...,  vt\\vt 


118 


World  B  :  The  challenger  calls  SCHEME2n  and  computes  ciphertexts/tokens  for: 


Xi  0,  x2  0,  ... 

OJ 

_ 1 

_Vl\\wi,  V2\\w2, 

•  • ,  Vt\\wt  _ 

World  M  :  The  challenger  picks  random  a  Z n,  calls  SCHEME2n  and  computes  ciphertexts/tokens 

for  the  following  vectors: 


xi||m/i,  x2\\ay2,  ...,  xc\\ ayt 
_vi\\wi,  v2\\w2,  •••,  vt\\wt 

Remark  5.8.1  Notice  that  in  the  above  hybrid  sequence,  the  access  pattern  remains  the  same 
between  all  worlds  except  with  negligible  probability. 

Claim  5.8.2  Assume  that  SCHEME2n  is  SCI-secure,  then  no  polynomial-time  adversary  has  more 
than  negligible  advantage  in  distinguishing  between  adjacent  games. 

Proof:  By  hybrid  argument.  ■ 

Similarly,  we  can  have  a  sequence  of  hybrid  games  connecting  World  0  and  World  M.  Due  to 
the  hybrid  argument,  we  conclude  that  no  polynomial  adversary  has  more  than  negligible  advan¬ 
tage  in  distinguishing  World  0  and  World  1.  ■ 


5.9  Comparison  with  Previous  Security  Definitions 

Only  two  prior  works  have  considered  query  privacy  in  SK-PE:  the  work  by  Song  et  al.  li39h.  and 
the  work  by  Curtmola  et  al.  0.  In  addition,  both  of  these  works  consider  simple  keyword-based 
queries.  Song  et  al.  were  the  first  ones  to  propose  a  searchable  encryption  scheme,  and  they  did  not 
present  a  formal  security  definition  for  query  privacy.  Curtmola  et  al.  presented  a  formal  security 
definition  to  intuitively  capture  the  notion  that  both  the  plaintext  entries  and  the  queries  should  be 
hidden  from  the  storage  server.  Their  security  definition  is  not  satisfactory  due  to  the  following 
reasons: 

•  The  security  definition  by  Curtmola  et  al.  reveals  the  “search  pattern”,  that  is,  if  a  user  issues 
two  queries  for  the  same  keyword,  the  storage  server  learns  the  fact  that  these  two  queries 
are  equal.  In  our  security  definition,  the  query  has  the  same  (selective)  semantic  security  as 
the  plaintext.  In  particular,  let  A  and  A'  denote  two  queries  with  the  same  access  patter,  then 
the  storage  server  is  unable  to  decide  whether  a  user  has  made  the  same  query  A  twice,  or 
whether  the  user  queried  for  A  followed  by  A!  instead. 

•  In  Curtmola’s  security  definition,  the  adversary  first  commits  to  two  sets  of  documents  (de¬ 
noted  V0,  T>i  in  their  paper  [19]).  Using  our  terminology,  this  means  that  the  adversary  has 
to  commit  to  all  the  ciphertext  queries  it  intends  to  make.  Instead,  we  give  the  adversary 
more  power  in  our  full  security  definition.  The  adversary  should  be  fully  adaptive:  it  can  de¬ 
cide  what  ciphertext  queries  and  token  queries  to  make  depending  on  previous  interactions 
with  the  challenger. 
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•  Although  we  did  not  prove  the  security  of  our  construction  under  the  full  security  model,  As 
Observation |5T97T|  points  out,  even  the  relaxed  security  model  actually  used  in  our  proofs  is 
stronger  than  Curtmola’s  definition. 

Proposition  5.9.1  Given  a  selectively  SCI-secure  SK-PE  construction  on  inner-product  queries 
for  vectors  of  length  2 n,  it  is  possible  to  construct  an  SK-PE  scheme  on  inner-product  queries  for 
vectors  of  length  n,  satisfying  the  security  definition  by  Curtmola  et  al.  (Definition  3.8  in  their 
paper  nlcAI). 

Proof:  The  above  proposition  can  be  proved  in  a  similar  manner  as  Propositionl5.3.2l  ■ 

In  fact,  in  the  above  proof,  when  we  use  the  scheme  for  vectors  of  length  2 n  to  construct  a 
scheme  for  vectors  of  length  n,  the  resulting  scheme  (for  vectors  of  length  n )  has  stronger  security 
than  Curtmola’s  definition,  as  Curtmola’s  definition  reveals  the  search  pattern  in  addition.  To 
reiterate,  revealing  the  search  pattern  means  that  the  storage  server  can  tell  if  two  queries  submitted 
by  the  user  are  the  same  or  not.  Our  security  definition  does  not  reveal  the  search  pattern. 


5.10  Review  of  the  KSW  Construction 

To  aid  the  understanding  of  our  construction,  we  review  the  KSW  construction  Q  for  inner- 
product  queries  in  the  public -key  setting. 

Setup(lx):  The  setup  algorithm  first  chooses  random  large  primes  p.  q,  r,  and  creates  a  bilinear 
group  of  composite  order  N  =  pqr.  Next  it  picks  generators  gp,  gq.  gr  from  subgroups 
Gp,  Gg,  Gr  respectively.  It  also  picks  hip,  h2p  from  Gp,  R\pi  R2p  from  Gr  for  all  1  <  i  <  n, 
and  random  R0  from  Gr. 

The  public  key  is  composed  as  below: 


PK  (dpi  9ri  Q 


9q  '  Roi  {H\ ti  —  hi^Ri'i,  H2  t  —  h2gR2,i}i=i) 


The  secret  key  is  set  to  the  following: 

Pvk  =  (p,  q,  r,  gq ,  {hUl  h2p}ni=l) 


Encrypt (PK,  tc):  Let  x  —  (xi,x2, ... ,  xn)  e  (Z^)™.  The  encryption  algorithm  first  picks  random 
exponents  s,  cc,  (3  from  ZN,  and  it  chooses  random  {R3ti,  from  Gr. 

Next,  the  encryption  algorithm  computes  the  following  ciphertext: 


CT  = 


Co  —  9pi 

{Cy  =  Hi/} 


axi 


R 


3 


C2|i  = 


GenToken( MSK,  v):  Let  v  =  (vi,  v2, . . . ,  vn)  G  (ZN)n.  The  GenToken  algorithm  picks  random 
exponents  /i,  f2,  (rq*,  r2j}(  ,  from  Zjv-  Then,  it  chooses  a  random  hiding  factor  R5  from 
the  subgroup  Gr,  and  random  Q 6  from  Gr;. 
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Next,  the  GenToken  algorithm  computes  the  following  token: 


TK 


k  =  r5q6  •  mu 

{Am  =  gp'gf™, 


Query (TKtf,  CT^):  The  Query  algorithm  computes 

n 

e(C0,Ko)-Y[e(Clti,K^)e(C2,i,K2ti)  =  1  (5.13) 

%—  1 

and  outputs  0  iff  the  above  is  equal  to  1,  indicating  that  (x,v)  =  0  mod  N.  (The  case  that 
(x,  v)  =  0  mod  q,  but  (x.  v)  ^  0  mod  N  happens  with  negligible  probability  as  explained 
in  Section  EU) 
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Chapter  6 

Conclusion  and  Future  Work 


6.1  Conclusion 

Predicate  encryption  is  a  new  encryption  paradigm  enabling  fine-grained  access  control  to  the 
encrypted  data.  In  predicate  encryption,  the  secret  key  owner  can  compute  a  capability  which 
allows  one  to  evaluate  the  outcome  of  a  predicate  on  the  encrypted  data. 

An  important  research  challenge  in  predicate  encryption  is  how  to  support  more  expressive 
query  predicates  and  richer  operations.  In  this  thesis,  we  made  the  following  contributions  to  the 
area  of  predicate  encryption. 

•  We  propose  a  predicate  encryption  scheme  supporting  multi-dimensional  range  queries  (Chap¬ 
ter  0.  This  construction  is  secure  in  the  match-revealing  model.  Multi-dimensional  range 
queries  is  particularly  important  in  practice,  especially  in  database  applications,  as  SQL 
queries  are  by  nature  multi-dimensional  range  queries. 

•  We  study  how  to  delegate  capabilities  in  predicate  encryption,  and  propose  a  construction 
that  supports  delegation  on  conjunctive  queries  (Chapter0. 

•  We  consider  the  problem  of  query  privacy  in  predicate  encryption.  In  many  practical  ap¬ 
plications,  it  would  be  desirable  to  hide  the  queries  encoded  in  the  capabilities,  in  addition 
to  hiding  the  plaintext  data.  We  show  that  query  privacy  is  inherently  not  possible  in  the 
public-key  setting,  due  to  the  fact  that  anyone  can  encrypt  with  a  public  key.  However,  we 
demonstrate  that  query  privacy  is  indeed  possible  in  the  secret-key  setting.  Specifically,  we 
provide  a  secret-key  predicate  encryption  scheme  that  protects  the  privacy  of  both  the  query 
predicates  and  the  plaintext  data.  Our  construction  supports  inner-product  queries  (Chap¬ 
ter  0. 

6.2  Future  Work 

The  following  are  important  questions  that  remain  to  be  answered  in  predicate  encryption: 

•  Almost  all  of  the  known  constructions  are  proven  secure  in  the  selective  security  model, 
that  is,  the  adversary  commits  to  a  challenge  identity  at  the  beginning  of  the  game.  In 
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the  setting  of  bilinear  groups,  some  progress  has  been  made  recently  at  proving  adaptive 
security  [22,  23].  In  particular,  Gentry’s  construction  [22]  implies  a  predicate  encryption 
system  on  equality-test  queries.  An  important  open  question  is  to  how  to  construct  more 
expressive  predicate  encryption  schemes  and  prove  security  under  the  adaptive  notion  of 
security. 


•  Another  topic  worth  investigating  is  how  to  build  expressive  predicate  encryption  systems 
using  other  mathematical  primitives  and  assumptions.  For  example,  Boneh  et  al.  built  anony¬ 
mous  identity-based  encryption  based  on  the  quadratic  residuosity  problem  modulo  an  RSA 
composite.  This  implies  a  predicate  encryption  system  supporting  equality-test  queries.  It 
is  an  open  research  problem  how  to  build  more  expressive  predicate  encryption  systems 
without  pairings. 

•  The  most  expressive  predicate  encryption  system  known  to  this  day  supports  inner-product 
queries.  A  big  question  is  how  to  build  systems  that  are  even  more  expressive.  Based  on 
experience,  we  know  that  supporting  disjunctions  might  be  hard  in  pairing-based  predicate 
encryption  systems.  The  inner-product  scheme  can  support  bounded-size  disjunctive  queries 
by  converting  them  to  polynomial  evaluation  queries.  However,  such  conversions  incur  a 
large  expansion  factor  in  the  cost,  making  it  expensive  to  support  large  disjunctive  queries. 
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